Table Of Contents
crypto key decrypt rsa
crypto key encrypt rsa
crypto key export pem
crypto key generate rsa
crypto key import pem
crypto key lock rsa
crypto key pubkey-chain rsa
crypto key unlock rsa
crypto key zeroize rsa
crypto keyring
crypto map (global IPSec)
crypto map (interface IPSec)
crypto map client authentication list
crypto map client configuration address
crypto map isakmp authorization list
crypto map isakmp-profile
crypto map local-address
crypto map redundancy replay-interval
crypto mib ipsec flowmib history failure size
crypto mib ipsec flowmib history tunnel size
crypto pki authenticate
crypto pki cert validate
crypto pki certificate chain
crypto pki certificate map
crypto pki certificate query (ca-trustpoint)
crypto pki crl request
crypto pki enroll
crypto pki export pem
crypto pki export pkcs12
crypto pki import
crypto pki import pem
crypto pki import pkcs12
crypto pki profile enrollment
crypto pki server
crypto pki server grant
crypto pki server info crl
crypto pki server info requests
crypto pki server password generate
crypto pki server reject
crypto pki server remove
crypto pki server request pkcs10
crypto pki server revoke
crypto pki trustpoint
crypto provisioning petitioner
crypto provisioning registrar
crypto wui tti petitioner
crypto wui tti registrar
ctype
crypto key decrypt rsa
To delete the encrypted RSA key and leave only the unencrypted key on the running router, use the crypto key decrypt rsa command in global configuration mode.
crypto key decrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
|
(Optional) Clear text (unencrypted) key is immediately written to NvRAM.
If the write keyword is not issued, the configuration must be manually written to NvRAM; otherwise, the key will remain encrypted the next time the router is reloaded.
|
name key-name
|
(Optional) Name of the RSA key pair that is to be decrypted.
|
passphrase passphrase
|
Passphrase that is used to decrypt the RSA key. The passphrase must match the passphrase that was specified via the crypto key encrypt rsa command.
|
Defaults
The private key running on the router is encrypted.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
Use the crypto key decrypt rsa command to store the decrypted private key in NvRAM the next time NvRAM is written (which is immediately if the write keyword is issed).
Examples
The following example shows how to decrypt the RSA key "pki1-72a.cisco.com":
Router(config)# crypto key decrypt write rsa name pki1-72a.cisco.com passphrase cisco1234
Related Commands
Command
|
Description
|
crypto key encrypt rsa
|
Encrypts the RSA private key.
|
show crypto key mypubkey rsa
|
Displays the RSA public keys of your router.
|
crypto key encrypt rsa
To encrypt the RSA private key, use the crypto key encrypt rsa command in global configuration mode.
crypto key encrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
write
|
(Optional) Router configuration is immediately written to NVRAM.
If the write keyword is not issued, the configuration must be manually written to NvRAM; otherwise, the encrypted key will be lost next time the router is reloaded.
|
name key-name
|
(Optional) Name of the RSA key pair that is to be encrypted.
If a key name is not specified, the default key name, routername.domainname, is used.
|
passphrase passphrase
|
Passphrase that is used to encrypt the RSA key. To access the RSA key pair, the passphrase must be specified.
|
Defaults
RSA keys are not encrypted.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
The private key is encrypted (protected) via the specified passphrase. After the key is protected, it may continue to be used by the router; that is Internet Key Exchange (IKE) tunnels and encrypted key export attempts should continue to work because the key remains "unlocked."
To lock the key, which can be used to disable the router, issue the crypto key lock rsa privileged EXEC command. (When you lock the encrypted key, all functions which use the locked key are disabled.)
Examples
The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted and unlocked.
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234
Router# show crypto key mypubkey rsa
% Key pair was generated at:00:15:32 GMT Jun 25 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC
23C4D09E
03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001
% Key pair was generated at:00:15:33 GMT Jun 25 2003
Key name:pki1-72a.cisco.com.server
Usage:Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383
854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757
3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4
DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001
Related Commands
Command
|
Description
|
crypto key decrypt rsa
|
Deletes the encrypted RSA key and leaves only the unencrypted key on the running router.
|
crypto key lock rsa
|
Locks the RSA private key in a router.
|
show crypto key mypubkey rsa
|
Displays the RSA public keys of your router.
|
crypto key export pem
To export Rivest, Shamir, and Adelman (RSA) keys in privacy-enhanced mail (PEM)-formatted files, use the crypto key export pem command in global configuration mode.
crypto key export rsa key-label pem {terminal | url url} {3des | des} passphrase
Syntax Description
rsa key-label
|
Name of the RSA key pair that will be exported.
The key-label argument must match the key pair name that was specified via the crypto key generate rsa command.
|
terminal
|
RSA key pair will be displayed in PEM format on the console terminal.
|
url url
|
URL of the file system where your router should export the RSA key pair.
|
3des
|
Export the RSA key pair using the Triple Data Encryption Standard (3DES) encryption algorithm.
|
des
|
Export the RSA key pair using the DES encryption algorithm.
|
passphrase
|
Passphrase that is used to encrypt the PEM file for import.
Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
The crypto key export pem command allows you to export RSA key pairs in PEM-formatted files. The PEM files can then be imported back into a Cisco IOS router or other public key infrastructure (PKI) applications.
Note
Before you can export a RSA key pair in a PEM file, ensure that the RSA key pair is exportable. To generate an exportable RSA key pair, issue the crypto key generate rsa command and specify the exportable keyword.
Examples
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
Router(config)# crypto key generate rsa general-purpose label mycs exportable
The name for the keys will be: mycs
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
! Archive the key pair to a remote location, and use a good password.
Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD
Usage: General Purpose Key
Destination filename [mycs.pub]?
Writing file to nvram:mycs.pub
Destination filename [mycs.prv]?
Writing file to nvram:mycs.prv
! Import the key as a different name.
Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD
% Importing public key or certificate PEM file...
Source filename [mycs.pub]?
Reading file from nvram:mycs.pub
% Importing private key PEM file...
Source filename [mycs.prv]?
Reading file from nvram:mycs.prv% Key pair import succeeded.
! After the key has been imported, it is no longer exportable.
! Verify the status of the key.
Router# show crypto key mypubkey rsa
% Key pair was generated at: 18:04:56 GMT Jun 6 2003
Usage: General Purpose Key
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E65253
9C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CB
A6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79
A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486
C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001
% Key pair was generated at: 18:17:25 GMT Jun 6 2003
Usage: General Purpose Key
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E65253
9C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CB
A6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79
A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486
C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001
Related Commands
Command
|
Description
|
crypto key generate rsa
|
Generates RSA key pairs.
|
crypto key import pem
|
Imports RSA keys in PEM-formatted files.
|
crypto key generate rsa
To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
Syntax Description
general-keys
|
(Optional) Specifies that a general-purpose key pair will be generated, which is the default.
|
usage-keys
|
(Optional) Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated.
|
signature
|
(Optional) Specifies that the RSA public key generated will be a signature special usage key.
|
encryption
|
(Optional) Specifies that the RSA public key generated will be an encryption special usage key.
|
label key-label
|
(Optional) Name that is used for an RSA key pair when they are being exported.
If a key label is not specified, the fully qualified domain name (FQDN) of the router is used.
|
exportable
|
(Optional) Specifies that the RSA key pair can be exported to another Cisco device, such as a router.
|
modulus modulus-size
|
(Optional) Specifies the IP size of the key modulus.
By default, the modulus of a CA key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range of a CA key modulus is from 350 to 2048 bits.
If you do not enter the modulus keyword and specify a key size, you will be prompted.
|
storage devicename:
|
(Optional) Specifies the key storage location. The name of the storage device is followed by a colon (:).
|
on devicename:
|
(Optional) Specifies that the RSA key pair will be created on the specified device, including a USB token, local disk, or NVRAM. The name of the device is followed by a colon (:).
Keys created on a USB token have a maximum size of 1024 bits.
|
Command Default
RSA key pairs do not exist.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
12.2(8)T
|
The key-label argument was added.
|
12.2(15)T
|
The exportable keyword was added.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.4(4)T
|
The storage keyword and devicename: argument were added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(11)T
|
The storage keyword and devicename: argument were implemented on the Cisco 7200VXR NPE-G2 platform.
The signature, encryption and on keywords and devicename: argument were added.
|
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the hostname and ip domain-name commands). You will be unable to complete the crypto key generate rsa command without a hostname and IP domain name. (This situation is not true when you only generate a named key pair.)
Note
Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. The additional key pair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the key name is "router1.cisco.com.server."
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note
If the configuration is not saved to NVRAM, the generated keys are lost on the next reload of the router.
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 18 for sample times) and takes longer to use.
Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.
Note
As of Cisco IOS Release 12.4(11)T, peer public RSA key modulus values up to 4096 bits are automatically supported.
The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.
The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.
Table 18 Sample Times by Modulus Length to Generate RSA Keys
Router
|
360 bits
|
512 bits
|
1024 bits
|
2048 bits (maximum)
|
Cisco 2500
|
11 seconds
|
20 seconds
|
4 minutes, 38 seconds
|
more than 1 hour
|
Cisco 4700
|
less than 1 second
|
1 second
|
4 seconds
|
50 seconds
|
Specifying a Storage Location for RSA Keys
When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.
Specifying a Device for RSA Key Generation
As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.
RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:
% Error in generating keys:no available resources
Key deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from non-token storage locations when the write memory or similar command is issued.)
For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.
Examples
The following example generates a general usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:
Router(config)# crypto key generate rsa on usbtoken0 label ms2 modulus 1024
The name for the keys will be: ms2
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be on-token, non-exportable...
Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK]
Jan 7 02:44:09.623: crypto_engine: Create signature
Jan 7 02:44:10.467: crypto_engine: Verify signature
Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec)
Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)
Now, the on-token keys labeled "ms2" may be used for enrollment.
The following example generates special-usage RSA keys:
Router(config)# crypto key generate rsa usage-keys
The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
The following example generates general-purpose RSA keys:
Note
You cannot generate both special-usage and general-purpose keys; you can generate only one or the other.
Router(config)# crypto key generate rsa general-keys
The name for the keys will be: myrouter.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]? <return>
Generating RSA keys.... [OK].
The following example generates the general purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-keys exampleCAkeys
crypto ca trustpoint exampleCAkeys
enroll url http://exampleCAkeys/certsrv/mscep/mscep.dll
rsakeypair exampleCAkeys 1024 1024
The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":
crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:
Related Commands
Command
|
Description
|
crypto key storage
|
Sets the default storage location for RSA key pairs.
|
debug crypto engine
|
Displays debug messages about crypto engines.
|
hostname
|
Specifies or modifies the hostname for the network server.
|
ip domain-name
|
Defines a default domain name to complete unqualified hostnames (names without a dotted-decimal domain name).
|
show crypto key mypubkey rsa
|
Displays the RSA public keys of your router.
|
show crypto pki certificates
|
Displays information about your PKI certificate, certification authority, and any registration authority certificates.
|
crypto key import pem
To import Rivest, Shamir, and Adelman (RSA) keys in privacy-enhanced mail (PEM)-formatted files, use the crypto key import pem command in global configuration mode.
crypto key import rsa key-label pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
rsa key-label
|
Name of the RSA key pair that will be imported.
The key-label argument must match the key pair name that was specified via the crypto key generate rsa command.
|
usage-keys
|
(Optional) Specifies that two RSA special usage key pairs will be imported (that is, one encryption pair and one signature pair), instead of one general-purpose key pair.
|
terminal
|
Certificates and RSA key pairs will be manually imported to the console terminal.
|
url url
|
URL of the file system where your router should import certificates and RSA key pairs.
|
exportable
|
(Optional) Specifies that imported RSA key pair can be exported again to another Cisco device such as a router.
|
passphrase
|
Passphrase that is used to encrypt the PEM file for import.
Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
The crypto key import pem command allows you to import RSA key pairs in PEM-formatted files. The files can be previously exported from another Cisco IOS router or generated by other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
Router(config)# crypto key generate rsa general-purpose label mycs exportable
The name for the keys will be: mycs
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
! Archive the key pair to a remote location, and use a good password.
Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD
Usage: General Purpose Key
Destination filename [mycs.pub]?
Writing file to nvram:mycs.pub
Destination filename [mycs.prv]?
Writing file to nvram:mycs.prv
! Import the key as a different name.
Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD
% Importing public key or certificate PEM file...
Source filename [mycs.pub]?
Reading file from nvram:mycs.pub
% Importing private key PEM file...
Source filename [mycs.prv]?
Reading file from nvram:mycs.prv% Key pair import succeeded.
! After the key has been imported, it is no longer exportable.
! Verify the status of the key.
Router# show crypto key mypubkey rsa
% Key pair was generated at: 18:04:56 GMT Jun 6 2003
Usage: General Purpose Key
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E65253
9C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CB
A6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79
A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486
C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001
% Key pair was generated at: 18:17:25 GMT Jun 6 2003
Usage: General Purpose Key
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E65253
9C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CB
A6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79
A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486
C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001
Related Commands
Command
|
Description
|
crypto key export pem
|
Exports RSA keys in PEM-formatted files.
|
crypto key generate rsa
|
Generates RSA key pairs.
|
crypto key lock rsa
To lock the RSA private key in a router, use the crypto key lock rsa command in privileged EXEC mode.
crypto key lock rsa [name key-name] passphrase passphrase
Syntax Description
name key-name
|
(Optional) Name of the RSA key pair that is to be locked.
The name must match the name that was specified via the crypto key encrypt rsa command.
|
passphrase passphrase
|
Passphrase that is used to lock the RSA key. The passphrase must match the passphrase that was specified via the crypto key encrypt rsa command.
|
Defaults
RSA keys are encrypted, but not locked.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
When the crypto key lock rsa command is issued, the unencrypted copy of the key is deleted. Because the private key is not available, all RSA operations will fail.
This command affects only the "run-time" access to the key; that is, it does not affect the key that is stored in NVRAM.
Examples
The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234
Router# show crypto key mypubkey rsa
% Key pair was generated at:20:29:41 GMT Jun 20 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and LOCKED. ***
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F
B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001
Related Commands
Command
|
Description
|
crypto key encrypt rsa
|
Encrypts the RSA private key.
|
crypto key unlock rsa
|
Unlocks the RSA private key in a router.
|
show crypto key mypubkey rsa
|
Displays the RSA public keys of your router.
|
crypto key pubkey-chain rsa
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa command in global configuration mode.
crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router.
Examples
The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.
Router(config)# crypto key pubkey-chain rsa
Router(config-pubkey-chain)# addressed-key 10.5.5.1
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# addressed-key 10.1.1.2
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC
Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228
Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E
Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16
Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4
Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# exit
Related Commands
Command
|
Description
|
address
|
Specifies the IP address of the remote RSA public key of the remote peer you will manually configure.
|
addressed-key
|
Specifies the RSA public key of the peer you will manually configure.
|
key-string (IKE)
|
Specifies the RSA public key of a remote peer.
|
named-key
|
Specifies which peer RSA public key you will manually configure.
|
show crypto key pubkey-chain rsa
|
Displays peer RSA public keys stored on your router.
|
crypto key unlock rsa
To unlock the RSA private key in a router, use the crypto key unlock rsa command in privileged EXEC mode.
crypto key unlock rsa [name key-name] passphrase passphrase
Syntax Description
name key-name
|
(Optional) Name of the RSA key pair that is to be unlocked.
The name must match the name that was specified via the crypto key encrypt rsa command.
|
passphrase passphrase
|
Passphrase that is used to unlock the RSA key. The passphrase must match the passphrase that was specified via the crypto key encrypt rsa command.
|
Defaults
The encrypted private key is locked.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
When a router with an encrypted RSA key (via the crypto key encrypt rsa command) initially boots up, the key does not exist in plain text and is therefore considered to be locked. Because the private key is not available, all RSA operations will fail. After you unlock the private key, RSA operations will function again.
This command affects only the "run-time" access to the key; that is, it does not affect the key that is stored in NVRAM.
Examples
The following example shows how to unlock the key "pki1-72a.cisco.com":
Router# crypto key unlock rsa name pki1-72a.cisco.com passphrase cisco1234
Related Commands
Command
|
Description
|
crypto key encrypt rsa
|
Encrypts the RSA private key.
|
crypto key lock rsa
|
Locks the RSA private key in a router.
|
show crypto key mypubkey rsa
|
Displays the RSA public keys of your router.
|
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
key-pair-label
|
(Optional) Specifies the name of the key pair that router will delete.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(8)T
|
The key-pair-label argument was added.
|
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
Ask the certification authority (CA) administrator to revoke your router's certificates at the CA; you must supply the challenge password you created when you originally obtained the router's certificates using the crypto ca enroll command.
•
Manually remove the router's certificates from the configuration by removing the configured trustpoint (using the no crypto ca trustpoint name command.)
Note
This command cannot be undone (after you save your configuration), and after RSA keys have been deleted, you cannot use certificates or the CA or participate in certificate exchanges with other IP Security (IPSec) peers unless you reconfigure CA interoperability by regenerating RSA keys, getting the CA's certificate, and requesting your own certificate again.
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the certificate of the router be revoked. The administrator then deletes the certificate of the router from the configuration.
crypto ca certificate chain
Related Commands
Command
|
Description
|
certificate
|
Adds certificates manually.
|
crypto ca certificate chain
|
Enters the certificate chain configuration mode.
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
show crypto ca timers
|
Specifies which key pair to associate with the certificate.
|
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
keyring-name
|
Name of the crypto keyring.
|
vrf fvrf-name
|
(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. The fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration.
|
Defaults
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
pre-shared-key address 10.72.23.11 key vpnsecret
crypto isakmp profile vpnprofile
crypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover]
[profile profile-name]
crypto map map-name [client-accounting-list aaalist]
no crypto map map-name seq-num
Note
Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry.
Syntax Description
map-name
|
Name that identifies the crypto map set. This is the name assigned when the crypto map was created.
|
seq-num
|
Sequence number you assign to the crypto map entry. See additional explanation for using this argument in the "Usage Guidelines" section.
|
ipsec-manual
|
(Optional) Indicates that Internet Key Exchange (IKE) will not be used to establish the IP Security (IPSec) security associations (SAs) for protecting the traffic specified by this crypto map entry.
|
ipsec-isakmp
|
(Optional) Indicates that IKE will be used to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
|
dynamic
|
(Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available.
|
dynamic-map-name
|
(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.
|
discover
|
(Optional) Enables peer discovery. By default, peer discovery is not enabled.
|
profile
|
(Optional) Designates a crypto map as a configuration template. The security configurations of this crypto map will be cloned as new crypto maps are created dynamically on demand.
|
profile-name
|
(Optional) Name of the crypto profile being created.
|
client-accounting- list
|
(Optional) Designates a client accounting list.
|
aaalist
|
(Optional) List name.
|
Defaults
No crypto maps exist.
Peer discovery is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
11.3 T
|
The following keywords and arguments were added:
• ipsec-manual
• ipsec-isakmp
• dynamic
• dynamic-map-name
|
12.0(5)T
|
The discover keyword was added to support Tunnel Endpoint Discovery (TED).
|
12.2(4)T
|
The profile profile-name keyword and argument combination was introduced to allow the generation of a crypto map profile that is cloned to create dynamically created crypto maps on demand.
|
12.2(11)T
|
Support was added for the Cisco 1760, Cisco AS5300, Cisco AS5400, and Cisco AS5800 platforms.
|
12.2(15)T
|
The client-accounting-list keyword and aaalist argument were added.
|
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
What traffic should be protected
•
To which IPSec peers the protected traffic can be forwarded—these are the peers with which an SA can be established
•
Which transform sets are acceptable for use with the protected traffic
•
How keys and security associations should be used or managed (or what the keys are, if IKE is not used)
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps, do you want it to be evaluated against the dynamic map set.
To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
TED helps only in discovering peers; otherwise, TED does not function any differently from normal IPSec. Thus, TED does not improve the scalability of IPSec (in terms of performance or the number of peers or tunnels).
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the Layer 2 Transport Protocol (L2TP) Security feature. The relevant SAs the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
The set peer and match address commands are ignored by crypto profiles and should not be configured in the crypto map definition.
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmp
set transform-set my_t_set1
The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-des
crypto map mymap 10 ipsec-manual
set transform-set someset
set session-key inbound ah 256 98765432109876549876543210987654
set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedc
set session-key inbound esp 256 cipher 0123456789012345
set session-key outbound esp 256 cipher abcdefabcdefabcd
The following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmp
set transform-set my_t_set1
crypto map mymap 20 ipsec-isakmp
set transform-set my_t_set1 my_t_set2
crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap
crypto dynamic-map mydynamicmap 10
set transform-set my_t_set1 my_t_set2 my_t_set3
The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discover
The following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tp
Related Commands
Command
|
Description
|
crypto dynamic-map
|
Creates a dynamic crypto map entry and enters the crypto map configuration command mode.
|
crypto isakmp profile
|
Audits IPSec user sessions.
|
crypto map (interface IPSec)
|
Applies a previously defined crypto map set to an interface.
|
crypto map local-address
|
Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.
|
debug crypto isakmp
|
Applies a previously defined crypto map set to an interface.
|
match address (IPSec)
|
Specifies an extended access list for a crypto map entry.
|
set peer (IPSec)
|
Specifies an IPSec peer in a crypto map entry.
|
set pfs
|
Specifies that IPSec should ask for PFS when requesting new SAs for this crypto map entry, or that IPSec requires PFS when receiving requests for new SAs.
|
set security-association level per-host
|
Specifies that separate IPSec SAs should be requested for each source/destination host pair.
|
set security-association lifetime
|
Overrides (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPSec SAs.
|
set session-key
|
Specifies the IPSec session keys within a crypto map entry.
|
set transform-set
|
Specifies which transform sets can be used with the crypto map entry.
|
show crypto map (IPSec)
|
Displays the crypto map configuration.
|
crypto map (interface IPSec)
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name [redundancy standby-group-name[stateful]]
no crypto map [map-name] [redundancy standby-group-name [stateful]]
Syntax Description
map-name
|
Name that identifies the crypto map set. This is the name assigned when the crypto map was created.
When the no form of the command is used, this argument is optional. Any value supplied for the argument is ignored.
|
redundancy
|
(Optional) Defines a backup IP Security (IPSec) peer. Both routers in the standby group are defined by the redundancy standby name and share the same virtual IP address.
|
standby-group-name
|
(Optional) Refers to the name of the standby group as defined by Hot Standby Router Protocol (HSRP) standby commands.
|
stateful
|
(Optional) Enables IPSec stateful failover for the crypto map.
|
Defaults
No crypto maps are assigned to interfaces.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.1(9)E
|
The redundancy keyword and standby-name argument were added.
|
12.2(8)T
|
The redundancy keyword and standby-name argument were integrated into Cisco IOS Release 12.2(8)T.
|
12.2(11)T
|
This command was implemented on the Cisco AS5300 and Cisco AS5800 platforms.
|
12.2(9)YE
|
The redundancy keyword and standby-name argument were integrated into Cisco IOS Release 12.2(9)YE.
|
12.2(14)S
|
This feature was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(11)T
|
The stateful keyword was added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry that has the lowest sequence number is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
A crypto map applied to loopback interface is not supported.
The standby name must be configured on all devices in the standby group, and the standby address must be configured on at least one member of the group. If the standby name is removed from the router, the IPSec security associations (SAs) will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Note
A virtual IP address must be configured in the standby group to enable either stateless or stateful redundancy.
The stateful keyword enables stateful failover of IKE and IPSec sessions. Stateful Switchover (SSO) must also be configured for IPSec stateful failover to operate correctly.
Examples
The following example shows how all remote Virtual Private Network (VPN) gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmp
set transform-set esp-3des-sha
Interface FastEthernet 0/0
ip address 192.168.0.2 255.255.255.0
crypto map mymap redundancy group1
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of "mymap" and, at the same time, ensures that stateless HSRP failover is facilitated between an active and standby device that belongs to the same standby group, "group1."
Reverse route injection (RRI) is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If a failover occurs, routes are deleted on the former active device and created on the new active device.
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
crypto map to-peer-outside 10 ipsec-isakmp
match address peer-outside
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 track Ethernet1/0
crypto map to-peer-outside redundancy HA-out stateful
Related Commands
Command
|
Description
|
crypto map (global IPSec)
|
Creates or modifies a crypto map entry and enters the crypto map configuration mode.
|
crypto map local-address
|
Specifies and names an identifying interface to be used by the crypto map for IPSec traffic.
|
redundancy inter-device
|
Configures redundancy and enters inter-device configuration mode.
|
show crypto map (IPSec)
|
Displays the crypto map configuration.
|
standby ip
|
Assigns an IP address that is to be shared among the members of the HSRP group and owned by the primary IP address.
|
standby name
|
Assigns a user-defined group name to the HSRP redundancy group.
|
crypto map client authentication list
To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name client authentication list list-name
no crypto map map-name client authentication list list-name
Syntax Description
map-name
|
The name you assign to the crypto map set.
|
list-name
|
Character string used to name the list of authentication methods activated when a user logs in. The list-name must match the list-name defined during AAA configuration.
|
Defaults
Xauth is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.1(1)T
|
This command was introduced.
|
Usage Guidelines
Before configuring Xauth, you should complete the following tasks:
•
Set up an authentication list using AAA commands.
•
Configure an IP Security transform.
•
Configure a crypto map.
•
Configure Internet Security Association Key Management Protocol (ISAKMP) policy.
After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface.
Examples
The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlist
The following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlist
crypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamic
Related Commands
Command
|
Description
|
aaa authentication login
|
Sets AAA authentication at login.
|
crypto ipsec transform-set
|
Defines a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode.
|
crypto isakmp key
|
Configures a preshared authentication key.
|
crypto isakmp policy
|
Defines an IKE policy, and enters ISAKMP policy configuration mode.
|
crypto map (global configuration)
|
Creates or modify a crypto map entry, and enters the crypto map configuration mode.
|
interface
|
Enters the interface configuration mode.
|
crypto map client configuration address
To configure IKE Mode Configuration on your router, use the crypto map client configuration address command in global configuration mode. To disable IKE Mode Configuration, use the no form of this command.
crypto map tag client configuration address [initiate | respond]
no crypto map tag client configuration address
Syntax Description
tag
|
The name that identifies the crypto map.
|
initiate
|
(Optional) A keyword that indicates the router will attempt to set IP addresses for each peer.
|
respond
|
(Optional) A keyword that indicates the router will accept requests for IP addresses from any requesting peer.
|
Defaults
IKE Mode Configuration is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.0(4)XE
|
This command was introduced.
|
12.0(7)T
|
This command was implemented in Cisco IOS release 12.0(7)T.
|
Usage Guidelines
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Examples
The following examples configure IKE Mode Configuration on your router:
crypto map dyn client configuration address initiate
crypto map dyn client configuration address respond
Related Commands
Command
|
Description
|
crypto map (global)
|
Creates or modifies a crypto map entry and enters the crypto map configuration mode
|
crypto map isakmp authorization list
To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name isakmp authorization list list-name
no crypto map map-name isakmp authorization list list-name
Syntax Description
map-name
|
Name you assign to the crypto map set.
|
list-name
|
Character string used to name the list of authorization methods activated when a user logs in. The list name must match the list name defined during AAA configuration.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.1(1)T
|
This command was introduced
|
Usage Guidelines
Use the crypto map client authorization list command to enable key lookup from a AAA server.
Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key.
Before configuring the crypto map client authorization list command, you should perform the following tasks:
•
Set up an authorization list using AAA commands.
•
Configure an IPSec transform.
•
Configure a crypto map.
•
Configure an Internet Security Association Key Management Protocol policy using IPSec and IKE commands.
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface.
Examples
The following example shows how to configure the crypto map client authorization list command:
crypto map ikessaaamap isakmp authorization list ikessaaalist
crypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadyn
Related Commands
Command
|
Description
|
aaa authorization
|
Sets parameters that restrict a user's network access.
|
crypto ipsec transform-set
|
Defines a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode.
|
crypto map (global configuration)
|
Creates or modifies a crypto map entry and enters the crypto map configuration mode
|
crypto isakmp policy
|
Defines an IKE policy and enters ISAKMP policy configuration mode.
|
crypto isakmp key
|
Configures a preshared authentication key.
|
interface
|
Enters interface configuration mode.
|
crypto map isakmp-profile
To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.
crypto map map-name isakmp-profile isakmp-profile-name
no crypto map map-name isakmp-profile isakmp-profile-name
Syntax Description
map-name
|
Name assigned to the crypto map set.
|
isakmp-profile-name
|
Character string used to name the ISAKMP profile that is used during an Internet Key Exchange (IKE) Phase 1 and Phase 1.5 exchange. The isakmp-profile-name must match the ISAKMP profile name that was defined during the ISAKMP profile configuration.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap isakmp-profile vpnprofile
Related Commands
Command
|
Description
|
crypto ipsec transform-set
|
Defines a transform set—an acceptable combination of security protocols and algorithms.
|
crypto map (global)
|
Creates or modifies a crypto map entry.
|
crypto map local-address
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Syntax Description
map-name
|
Name that identifies the crypto map set. This is the name assigned when the crypto map was created.
|
interface-id
|
The identifying interface that should be used by the router to identify itself to remote peers.
If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler.
This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces.
If applying the same crypto map set to more than one interface, the default behavior is as follows:
•
Each interface will have its own security association database.
•
The IP address of the local interface will be used as the local address for IPSec traffic originating from/destined to that interface.
However, if you use a local-address for that crypto map set, it has multiple effects:
•
Only one IPSec security association database will be established and shared for traffic through both interfaces.
•
The IP address of the specified interface will be used as the local address for IPSec (and IKE) traffic originating from or destined to that interface.
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down.
Examples
The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0.
crypto map mymap local-address loopback0
Related Commands
Command
|
Description
|
crypto map (interface IPSec)
|
Applies a previously defined crypto map set to an interface.
|
crypto map redundancy replay-interval
To modify the interval at which inbound and outbound replay updates are passed from an active device to a standby device, use the crypto map redundancy replay-interval command in global configuration mode. To return to the default functionality, use the no form of this command.
crypto map map-name redundancy replay-interval inbound in-value outbound out-value
no crypto map map-name redundancy replay-interval inbound in-value outbound out-value
Syntax Description
map-name
|
Name that identifies the crypto map set. This is the name assigned when the crypto map was created.
|
inbound in-value
|
Number of inbound packets that are processed before an anti-replay update is sent from the active router to the standby router.
|
outbound out-value
|
Number of outbound packets that are processed before an anti-replay update is sent from the active router to the standby router.
|
Defaults
inbound in-value: one update every 1,000 packets
outbound out-value: one update every 100,000 packets
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(11)T
|
This command was introduced.
|
Usage Guidelines
Note
This command can be used only in conjunction with IPSec stateful failover on a crypto map.
Stateful failover enables a router to continue processing and forwarding packets after a planned or unplanned outage occurs; that is, a backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason.
The crypto map redundancy replay-interval command allows you to modify the interval in which an IP redundancy-enabled crypto map sends anti-replay updates from the active router to the standby router.
Examples
The following example shows how to enable replay checking for the crypto map "to-peer-outside" and enable IPSec stateful failover:
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000
crypto map to-peer-outside 10 ipsec-isakmp
match address peer-outside
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 track Ethernet1/0
crypto map to-peer-outside redundancy HA-out stateful
crypto mib ipsec flowmib history failure size
To change the size of the IP Security (IPSec) MIB failure history table, use the crypto mib ipsec flowmib history failure size command in global configuration mode.
crypto mib ipsec flowmib history failure size number
Syntax Description
number
|
Size of the failure history table. The default value is 200.
|
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.1(4)E
|
This command was introduced.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2 T.
|
Usage Guidelines
Use the crypto mib ipsec flowmib history failure size command to change the size of a failure history table. If you do not configure the size of a failure history table, the default of 200 will be implemented.
A failure history table stores the reason for tunnel failure and the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, every failure does not correspond to a tunnel. Supported setup failures are recorded in the failure table, but a history table is not associated because a tunnel was never set up.
Examples
In the following example, the size of a failure history table is configured to be 140:
Router(config)# crypto mib ipsec flowmib history failure size 140
Related Commands
Command
|
Description
|
crypto mib ipsec flowmib history tunnel size
|
Changes the size of the IPSec tunnel history table.
|
show crypto mib ipsec flowmib history failure size
|
Displays the size of the IPSec failure history table.
|
crypto mib ipsec flowmib history tunnel size
To change the size of the IP Security (IPSec) tunnel history table, use the crypto mib ipsec flowmib history tunnel size command in global configuration mode.
crypto mib ipsec flowmib history tunnel size number
Syntax Description
number
|
Size of the tunnel history table. The default value is 200.
|
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.1(4)E
|
This command was introduced.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2 T.
|
Usage Guidelines
Use the crypto mib ipsec flowmib history tunnel size command to change the size of a tunnel history table. If you do not configure the size of a tunnel history table, the default of 200 will be implemented.
A tunnel history table stores the attribute and statistics records, which contain the attributes and the last snapshot of the traffic statistics of a given tunnel. A tunnel history table accompanies a failure table, so you can display the complete history of a given tunnel. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
As an optimization, a tunnel endpoint table can be combined with a tunnel history table. However, if a tunnel endpoint table is combined, all three tables (the failure history table, tunnel history table, and the endpoint table) must remain the same size even though the MIB allows each table to be distinct.
Examples
In the following example, the size of the tunnel history table changed to 130:
Router(config)# crypto mib ipsec flowmib history tunnel size 130
crypto pki authenticate
To authenticate the certification authority (by getting the certificate of the CA), use the crypto pki authenticate command in global configuration mode.
crypto pki authenticate name
Syntax Description
name
|
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
The crypto ca authenticate command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca authenticate command.
|
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto pki authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
Note
If the CA does not respond by a timeout period after this command is issued, the terminal control will be returned so it will not be tied up. If this happens, you must re-enter the command. Cisco IOS software will not recognize CA certificate expiration dates set for beyond the year 2049. If the validity period of the CA certificate is set to expire after the year 2049, the following error message will be displayed when authentication with the CA server is attempted:
error retrieving certificate :incomplete chain
If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.
Examples
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto pki authenticate myca
Certificate has the following attributes:
Fingerprint: 0123 4567 89AB CDEF 0123
Do you accept this certificate? [yes/no] y#
Related Commands
Command
|
Description
|
debug crypto pki transactions
|
Displays debug messages for the trace of interaction (message type) between the CA and the router.
|
show crypto pki certificates
|
Displays information about your certificate, the certificate of the CA, and any RA certificates.
|
crypto pki cert validate
To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, use the crypto pki cert validate command in global configuration mode.
crypto pki cert validate trustpoint
Syntax Description
trustpoint
|
The trustpoint to be validated.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced. Also, effective with Cisco IOS Release 12.3(8)T, this command replaced the crypto ca cert validate command.
|
Usage Guidelines
The crypto pki cert validate command validates the router's own certificate for a given trustpoint. Use this command as a sanity check after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certification authority (CA), not expired, and so on.
Examples
The following examples show the possible output from the crypto pki cert validate command:
Router(config)# crypto pki cert validate ka
Validation Failed: trustpoint not found for ka
Router(config)# crypto pki cert validate ka
Validation Failed: can't get local certificate chain
Router(config)# crypto pki cert validate ka
Certificate chain has 2 certificates.
Certificate chain for ka is valid
Router(config)# crypto pki cert validate ka
Certificate chain has 2 certificates.
Validation Error: no certs on chain
Router(config)# crypto pki cert validate ka
Certificate chain has 2 certificates.
Validation Error: unspecified error
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the certification authority that the router should use.
|
show crypto pki trustpoints
|
Displays the trustpoints that are configured in the router.
|
crypto pki certificate chain
To enter the certificate chain configuration mode, use the crypto pki certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)
crypto pki certificate chain name
Syntax Description
name
|
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
The crypto ca certificate chain command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca certificate chain command.
|
Usage Guidelines
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
Examples
The following example deletes the router's certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.
Router# show crypto pki certificates
Name: myrouter.example.com
Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
Key Usage: General Purpose
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Router# configure terminal
Rrouter(config)# crypto pki certificate chain myca
Router(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate.
Router(config-cert-chain)# exit
Related Commands
Command
|
Description
|
certificate
|
Adds certificates manually.
|
crypto pki certificate map
To define certificate-based access control lists (ACLs), use the crypto pki certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.
crypto pki certificate map label sequence-number
no crypto pki certificate map label sequence-number
Syntax Description
label
|
A user-specified label that is referenced within the crypto pki trustpoint command.
|
sequence-number
|
A number that orders the ACLs with the same label. ACLs with the same label are processed from lowest to highest sequence number. When an ACL is matched, processing stops with a successful result.
|
Defaults
No default behavior or value.
Command Modes
Ca-certificate-map configuration
Command History
Release
|
Modification
|
12.2(15)T
|
The crypto ca certificate map command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca certificate map command.
|
Usage Guidelines
Issuing this command places the router in CA certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:
field-name match-criteria match-value
The field-name in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The name field is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.
•
alt-subject-name—Case-insensitive string.
•
expires-on—Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.
•
issuer-name—Case-insensitive string.
•
name—Case-insensitive string.
•
subject-name—Case-insensitive string.
•
unstructured-subject-name—Case-insensitive string.
•
valid-start—Date field in the format dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.
Note
The time portion is optional in both the expires-on date and valid-start field and defaults to 00:00:00 if not specified. The time is interpreted according to the time zone offset configured for the router. The string utc can be appended to the date and time when they are configured as Universal Time, Coordinated (UTC) rather than local time.
The match-criteria in the example is one of the following logical operators:
•
eq—equal (valid for name and date fields)
•
ne—not equal (valid for name and date fields)
•
co—contains (valid only for name fields)
•
nc—does not contain (valid only for name fields)
•
lt—less than (valid only for date fields)
•
ge—greater than or equal to (valid only for date fields)
The match-value is a case-insensitive string or a date.
Examples
The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Cisco Systems to an entity within the cisco.com domain. The label is Cisco, and the sequence is 10.
crypto pki certificate map Cisco 10
issuer-name co Cisco Systems
unstructured-subject-name co cisco.com
The following example accepts any certificate issued by Cisco Systems for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string "DIAL" can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.
crypto pki certificate map Group 10
issuer-name co Cisco Systems
crypto pki certificate map Group 20
issuer-name co Cisco Systems
Case is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)
If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, "ou=WAN,o=Cisco Systems" will not match a certificate with the string "ou=WAN,ou=Engineering,o=Cisco Systems" because the "ou=Engineering" string separates the two desired component identifiers.
To match both "ou=WAN" and "o=Cisco Systems" in a certificate while ignoring other component identifiers, you could use this certificate map:
crypto pki certificate map Group 10
Any space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore "o=Cisco" in the proceeding example will match "o = Cisco," "o= Cisco," "o =Cisco," and so on.
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
crypto pki certificate query (ca-trustpoint)
To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto pki certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.
crypto pki certificate query
no crypto pki certificate query
Syntax Description
This command has no arguments or keywords.
Defaults
CA trustpoints are stored locally in the router's NVRAM.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(8)T
|
The crypto ca certificate query (ca-trustpoint) command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca certificate query (ca-trustpoint) command.
|
Usage Guidelines
Normally, certain certificates are stored locally in the router's NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.
The crypto pki certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.
Before you can configure this command, you must enable the crypto pki trustpoint command, which puts you in ca-trustpoint configuration mode.
Note
This command deprecates the crypto ca certificate query command in global configuration mode. Although you can still enter the global configuration command, the configuration mode and command will be written back as ca-trustpoint.
Examples
The following example shows how to prevent certificates and certificate revocation lists (CRLs) from being stored locally on the router; instead, they are retrieved from the "ka" trustpoint when needed.
crypto pki certificate query
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
crypto pki crl request
To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto pki crl request command in global configuration mode.
crypto pki crl request name
Syntax Description
name
|
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.
|
Defaults
Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
The crypto ca crl request command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca crl request command.
|
Usage Guidelines
A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.
The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto pki crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
Note
This command should be used only after the trustpoint is enrolled.
Examples
The following example immediately downloads the latest CRL to your router:
crypto pki enroll
To obtain the certificate(s) of your router from the certification authority, use the crypto pki enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
crypto pki enroll name
no crypto pki enroll name
Syntax Description
name
|
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3 T
|
The crypto ca enroll command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca enroll command.
|
Usage Guidelines
This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto pki enroll command is not saved in the router configuration.
Note
If your router reboots after you issue the crypto pki enroll command but before you receive the certificate(s), you must reissue the command.
Responding to Prompts
When you issue the crypto pki enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
This password is not stored anywhere, so you need to remember this password.
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto pki enroll myca
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Re-enter password: <mypassword>
% The subject name in the certificate will be: myrouter.example.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 03433678
% Include an IP address in the subject name [yes/no]? yes
Request certificate from CA [yes/no]? yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto pki certificates' command will also show the fingerprint.
Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority
The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
Related Commands
Command
|
Description
|
debug crypto pki messages
|
Displays debug messages for the details of the interaction (message dump) between the CA and the router.
|
debug crypto pki transactions
|
Displays debug messages for the trace of interaction (message type) between the CA and the router.
|
show crypto pki certificates
|
Displays information about your certificate, the certificate of the CA, and any RA certificates.
|
crypto pki export pem
To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy-enhanced mail (PEM)-formatted file, use the crypto pki export pem command in global configuration mode.
crypto pki export trustpoint pem {terminal | url url} {3des | des} passphrase
Syntax Description
trustpoint
|
Name of the trustpoint that the associated certificate and RSA key pair will export.
The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.
|
terminal
|
Certificate and RSA key pair that will be displayed in PEM format on the console terminal.
|
url url
|
URL of the file system where your router should export the certificate and RSA key pairs.
|
3des
|
Export the trustpoint using the Triple Data Encryption Standard (3DES) encryption algorithm.
|
des
|
Export the trustpoint using the DES encryption algorithm.
|
passphrase
|
Passphrase that is used to encrypt the PEM file for import.
Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
The crypto ca export pem command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca export pem command.
|
Usage Guidelines
The crypto pki export pem command allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto pki import pem command) or other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate and export the RSA key pair "aaa" and certificates of the router in PEM files that are associated with the trustpoint "mycs":
Router(config)# crypto key generate rsa general-keys label aaa exportable
The name for the keys will be:aaa
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys ...[OK]
Router(config)# crypto pki trustpoint mycs
Router(ca-trustpoint)# enrollment url http://mycs
Router(ca-trustpoint)# rsakeypair aaa
Router(ca-trustpoint)# exit
Router(config)# crypto pki authenticate mycs
Certificate has the following attributes:
Fingerprint:C21514AC 12815946 09F635ED FBB6CF31
% Do you accept this certificate? [yes/no]:y
Trustpoint CA certificate accepted.
Router(config)# crypto pki enroll mycs
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this password to the CA
Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
% The fully-qualified domain name in the certificate will be:Router
% The subject name in the certificate will be:bizarro.cisco.com
% Include the router serial number in the subject name? [yes/no]:n
% Include an IP address in the subject name? [no]:n
Request certificate from CA? [yes/no]:y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD157
00:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate Authority
Router(config)# crypto pki export aaa pem terminal 3des cisco123
-----BEGIN CERTIFICATE-----
MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES
waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn
-----END CERTIFICATE-----
Usage:General Purpose Key
-----BEGIN RSA PRIVATE KEY-----
DEK-Info:DES-EDE3-CBC,ED6B210B626BC81A
Urguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87
kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
-----END CERTIFICATE-----
Related Commands
Command
|
Description
|
crypto pki import pem
|
Imports certificates and RSA keys to a trustpoint from PEM-formatted files.
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
enrollment
|
Specifies the enrollment parameters of a CA.
|
crypto pki export pkcs12
To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto pki export pkcs12 command in global configuration mode.
crypto pki export trustpointname pkcs12 destination url passphrase
Syntax Description
trustpointname
|
Name of the trustpoint who issues the certificate that a user is going to export. When you export the PKCS12 file, the trustpoint name is the RSA key name.
|
destination url
|
Location of the PKCS12 file to which a user wants to import the RSA key pair.
|
passphrase
|
Passphrase that is used to encrypt the PKCS12 file for export.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(15)T
|
The crypto ca export pkcs12 command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca export pkcs12 command.
|
Usage Guidelines
The crypto pki export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
Examples
The following example exports an RSA key pair with a trustpoint name "mytp" to a Flash file:
Router(config)# crypto pki export mytp pkcs12 flash:myexport mycompany
Related Commands
Command
|
Description
|
crypto pki import pkcs12
|
Imports RSA keys.
|
crypto pki import
To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto pki import command in global configuration mode.
crypto pki import name certificate
Syntax Description
name certificate
|
Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(13)T
|
The crypto ca import command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca import command.
|
Usage Guidelines
You must enter the crypto pki import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)
Examples
The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto pki authenticate MS
crypto pki import MS certificate
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
enrollment
|
Specifies the enrollment parameters of your CA.
|
enrollment terminal
|
Specifies manual cut-and-paste certificate enrollment.
|
crypto pki import pem
To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy-enhanced mail (PEM)-formatted files, use the crypto pki import pem command in global configuration mode.
crypto pki import trustpoint pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
trustpoint
|
Name of the trustpoint that is associated with the imported certificates and RSA key pairs.
The trustpoint argument must match the name that was specified via the crypto pki trustpoint command.
|
usage-keys
|
(Optional) Specifies that two RSA special usage key pairs will be imported (that is, one encryption pair and one signature pair), instead of one general-purpose key pair.
|
terminal
|
Certificates and RSA key pairs will be manually imported from the console terminal.
|
url url
|
URL of the file system where your router should import the certificates and RSA key pairs.
|
exportable
|
(Optional) Specifies that the imported RSA key pair can be exported again to another Cisco device such as a router.
|
passphrase
|
Passphrase that is used to encrypt the PEM file for import.
Note The passphrase can be any phrase that is at least eight characters in length; it can include spaces and punctuation, excluding the question mark (?), which has special meaning to the Cisco IOS parser.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
The crypto ca import pem command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca import pem command.
|
Usage Guidelines
The crypto pki import pem command allows you import certificates and RSA key pairs in PEM-formatted files. The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.
Examples
The following example shows how to import PEM files to trustpoint "ggg" via TFTP:
Router(config)# crypto pki import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234
% Importing CA certificate...
Address or name of remote host [10.1.1.2]?
Destination filename [johndoe/msca.ca]?
Reading file from tftp://10.1.1.2/johndoe/msca.ca
Loading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):!
% Importing private key PEM file...
Address or name of remote host [10.1.1.2]?
Destination filename [johndoe/msca.prv]?
Reading file from tftp://10.1.1.2/johndoe/msca.prv
Loading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):!
% Importing certificate PEM file...
Address or name of remote host [10.1.1.2]?
Destination filename [johndoe/msca.crt]?
Reading file from tftp://10.1.1.2/johndoe/msca.crt
Loading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):!
% PEM files import succeeded.
Related Commands
Command
|
Description
|
crypto pki export pem
|
Exports certificates and RSA keys that are associated with a trustpoint in a PEM-formatted file.
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
enrollment
|
Specifies the enrollment parameters of a CA.
|
crypto pki import pkcs12
To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto pki import pkcs12 command in global configuration mode.
crypto pki import trustpointname pkcs12 source url passphrase
Syntax Description
trustpointname
|
Name of the trustpoint who issues the certificate that a user is going to export or import. When importing, the trustpoint name will become the RSA key name.
|
source url
|
The location of the PKCS12 file to which a user wants to export the RSA key pair.
|
passphrase
|
Passphrase that must be entered to undo encryption when the RSA keys are imported.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(15)T
|
The crypto ca import pkcs12 command was introduced.
|
12.3(7)T
|
This command replaced the crypto ca import pkcs12 command.
|
Usage Guidelines
When you enter the crypto pki import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto pki trustpoint command to remove the trustpoint.
Note
After you import RSA keys to a target router, you cannot export those keys from the target router to another router.
Examples
In the following example, an RSA key pair that has been associated with the trustpoint "forward" is to be imported:
Router(config)# crypto pki import forward pkcs12 flash:myexport mycompany
Related Commands
Command
|
Description
|
crypto pki export pkcs12
|
Exports RSA keys.
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
crypto key zeroize rsa
|
Deletes all RSA keys from your router.
|
crypto pki profile enrollment
To define an enrollment profile, use the crypto pki profile enrollment command in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.
crypto pki profile enrollment label
no crypto pki profile enrollment label
Syntax Description
label
|
Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command.
|
Defaults
An enrollment profile does not exist.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(13)ZH
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
12.3(7)T
|
This command replaced the crypto ca profile enrollment command.
|
Usage Guidelines
Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.
After entering the crypto pki profile enrollment command, you can use any of the following commands to define the profile parameters:
•
authentication command—Specifies the HTTP command that is sent to the certification authority (CA) for authentication.
•
authentication terminal—Specifies manual cut-and-paste certificate authentication requests.
•
authentication url—Specifies the URL of the CA server to which to send authentication requests.
•
enrollment command—Specifies the HTTP command that is sent to the CA for enrollment.
•
enrollment terminal—Specifies manual cut-and-paste certificate enrollment.
•
enrollment url—Specifies the URL of the CA server to which to send enrollment requests.
•
parameter—Specifies parameters for an enrollment profile. This command can be used only if the authentication command or the enrollment command is used.
Note
The authentication url, enrollment url, authentication terminal, and enrollment terminal commands allow you to specify different methods for certificate authentication and enrollment, such as TFTP authentication and manual enrollment.
Examples
The following example shows how to define the enrollment profile named "E" and associated profile parameters:
crypto pki trustpoint Entrust
crypto pki profile enrollment E
authentication url http://entrust:81
authentication command GET /certs/cacert.der
enrollment url http://entrust:81/cda-cgi/clientcgi.exe
enrollment command POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
parameter 1 value aaaa-bbbb-cccc
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the PKI trustpoint that your router should use.
|
enrollment profile
|
Specifies that an enrollment profile can be used for certificate authentication and enrollment.
|
crypto pki server
To enable a Cisco IOS certificate server and enter certificate server configuration mode, use the crypto pki server command in global configuration mode. To disable a certificate server (which is the default functionality), use the no form of this command.
crypto pki server cs-label
no crypto pki server cs-label
Syntax Description
cs-label
|
Name of the certificate server.
Note The certificate server name should not exceed 13 characters.
|
Defaults
A certificate server is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
A certificate server allows you to more easily deploy public key infrastructure (PKI) by defining default behavior, which limits user interface complexity. To define the functionality of the certificate server, you can use any of the following certificate server configuration mode commands:
•
database (certificate server)—Requires a username or password to be issued when accessing a database storage location.
•
database level—Controls what type of data is stored in the certificate enrollment database.
•
database url—Specifies the location where all database entries for the certificate server will be written out.
•
grant automatic—Specifies automatic certificate enrollment.
Note
This command can be used for testing and building simple networks; however, it is recommended that you do not issue this command if your network is generally accessible.
•
issuer-name—Specifies the distinguished name (DN) as the certification authority (CA) issuer name for the certificate server.
•
lifetime (certificate server)—Specifies the lifetime of the CA or a certificate.
•
lifetime crl—Defines the lifetime of the certificate revocation list (CRL) that is used by the certificate server.
•
shutdown—Allows a certificate server to be disabled without removing the configuration.
Note
All of these commands are optional; thus, any basic certificate server functionality that is not specified via the command-line interface (CLI) will use the default value.
Examples
The following example shows how to enable the certificate server "mycertserver":
Router(config)# ip http server
Router(config)# crypto pki server mycertserver
Router(cs-server)# database url tftp://mytftp/johndoe/mycertserver
The following example shows how to disable the certificate server "mycertserver":
Router(config)# no crypto pki server mycertserver
% This will stop the Certificate Server process and delete the server
Are you sure you want to do this? [yes/no]: yes
% Do you also want to remove the associated trustpoint and
signing certificate and key? [yes/no]: no
% Certificate Server Process stopped
Related Commands
Command
|
Description
|
crypto pki server info requests
|
Displays all outstanding certificate enrollment requests.
|
ip http server
|
Enables an HTTP server on your network.
|
crypto pki server grant
To grant all or certain simple certificate enrollment protocol (SCEP) requests, use the crypto pki server grant command in privileged EXEC mode.
crypto pki server cs-label grant {all | req-id}
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
all
|
All certificate enrollment requests are granted.
|
req-id
|
ID associated with a specific enrollment request in the enrollment request database. Use the crypto pki server info requests command to display the ID.
|
Defaults
If this command is not issued, the certificate server keeps the requests in a pending state.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
After you enable the crypto pki server grant command, your certificate server will immediately grant all specified certificate requests. Certificate requests that are not granted will expire after the time that was specified using the lifetime enrollment-request command.
Examples
The following example shows to grant all manual enrollment requests for the certificate server "mycs":
Router# crypto pki server mycs grant all
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto pki server reject
|
Rejects all or certain SCEP requests.
|
crypto pki server info crl
To display information regarding the status of the current certificate revocation list (CRL), use the crypto pki server info crl command in privileged EXEC mode.
crypto pki server cs-label info crl
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
CRLs are issued once every specified time period via the lifetime crl command. It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified via the cdp-url command. To access information, such as the lifetime and location of the CRL, use the crypto pki server info crl command.
Examples
The following example shows how to access CRL information for the certificate server "mycs":
Router# crypto pki server mycs info crl
Related Commands
Command
|
Description
|
cdp-url
|
Specifies a CDP to be used in certificates that are issued by the certificate server.
|
crypto pki server
|
Enables a Cisco IOS certificate server and enter certificate server configuration mode.
|
lifetime crl
|
Defines the lifetime of the CRL that is used by the certificate server.
|
crypto pki server info requests
To display all outstanding certificate enrollment requests, use the crypto pki server info requests command in privileged EXEC mode.
crypto pki server cs-label info requests
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
A certificate enrollment request functions as follows:
•
The certificate server receives the enrollment request from an end user, and the following actions occur:
–
A request entry is created in the enrollment request database with the initial state. (See the show pki server command for a complete list of certificate enrollment request states.)
–
The certificate server refers to the command-line interface (CLI) configuration (or the default behavior any time a parameter is not specified) to determine the authorization of the request. Thereafter, the state of the enrollment request is updated in the enrollment request database.
•
At each Simple Certificate Enrollment Protocol (SCEP) query for a response, the certificate server examines the current request and performs one of the following actions:
–
Responds to the end user with a "pending" or "denied" state.
–
Forwards to the request to the certification authority (CA) core, where it will generate and sign the appropriate certificate, store the certificate in the enrollment request database, and return the request to the built-in certificate server Simple Certificate Enrollment Protocol (SCEP) server, who will reply to the end user with the certificate on the next SCEP request.
If the connection of the client has closed, the certificate server will wait for client user to request another certificate.
All enrollment requests transitions through the certificate enrollment states that are defined in Table 19.
Table 19 Certificate Enrollment States
Certificate Enrollment State
|
Description
|
initial
|
The request has been created by the SCEP server.
|
authorized
|
The certificate server has authorized the request.
|
malformed
|
The certificate server has determined that the request is invalid for cryptographic reasons.
|
denied
|
The certificate server has denied the request for policy reasons.
|
pending
|
The enrollment request must be manually accepted by the network administrator.
|
granted
|
The CA core has generated the appropriate certificate for the certificate request.
|
Examples
The following example shows output for the certificate server "certsrv1," which has a pending certificate enrollment request:
Router# crypto pki server certsrv1 info requests
Enrollment Request Database:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending 0A71820219260E526D250ECC59857C2D serialNumber=2326115A+hostname=831.
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters PKI configuration mode.
|
crypto pki server password generate
To generate a password for simple certificate enrollment protocol (SCEP) requests that can be used only one time, use the crypto pki server password generate command in privileged EXEC mode.
crypto pki server cs-label password generate [minutes]
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
minutes
|
(Optional) Length of time, in minutes, that the password is valid. Valid times range from 1 to 1440 minutes. The default value is 60 minutes.
|
Defaults
If this command is not enabled, no password is created.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
SCEP, which is the only supported enrollment protocol, supports two client authentication mechanisms—manual and preshared key. Manual enrollment requires the administrator at the certification authority (CA) server to specifically authorize the enrollment requests; enrollment using preshared keys allows the administrator to preauthorize enrollment requests by generating a one-time password.
Note
Only one password is valid at a time; if a second password is generated, the previous password is no longer valid.
Examples
The following example shows how to generate a one-time password that is valid for 75 minutes for the certificate server "mycs":
Router# crypto pki server mycs password generate 75
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto pki server reject
To reject all or certain Simple Certificate Enrollment Protocol (SCEP) requests, use the crypto pki server reject command in privileged EXEC mode.
crypto pki server cs-label reject {all | req-id}
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
all
|
All certificate enrollment requests are rejected.
|
req-id
|
ID associated with a specific enrollment request in enrollment request database. Use the crypto pki server info requests command to display the ID.
|
Defaults
If this command is not issued, the certificate server keeps the requests in a pending state.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
After you enable the crypto pki server reject command, your certificate server will immediately reject all certificate requests.
SCEP, which is the only supported enrollment protocol, supports two client authentication mechanisms—manual and preshared key. Manual enrollment requires the administrator at the certification authority (CA) server to specifically authorize the enrollment requests. The administrator can become overloaded if there are numerous enrollment requests. Thus, the crypto pki server reject command can be reduce user interaction by automatically rejecting all or specific enrollment requests.
Examples
The following example shows how reject all manual enrollment requests for the certificate server "mycs":
Router# crypto pki server mycs reject all
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto pki server grant
|
Grants all or certain SCEP requests.
|
crypto pki server info requests
|
Displays all outstanding certificate enrollment requests.
|
crypto pki server remove
To remove enrollment requests that are in the certificate server Enrollment Request Database, use the crypto pki server remove command in privileged EXEC mode . This command does not have a no form.
crypto pki server cs-label remove {all | req-id}
Syntax Description
cs-label
|
Name of the certificate server.
|
all
|
Removes all enrollment requests.
|
req-id
|
Removes the specified enrollment request.
|
Defaults
Enrollment requests will remain in the certificate server database.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(11)T
|
This command was introduced.
|
Usage Guidelines
After the certificate server receives an enrollment request, it can leave the request in pending, reject it, or grant it. Before this command was added, the request would be left in the Enrollment Request Database for 1 hour until the client polled the certficiate server for the result of the request. This command allows you to remove individual or all requests from the database, especially useful if the client leaves and never polls the certificate server.
In addition, the use of this command also allows the server to be returned to a clean slate with respect to the keys and transaction IDs. Thus, it is a useful command to use during troubleshooting with a Simple Certificate Enrollment Protocol (SCEP) client that may be behaving badly.
Examples
The following example shows that all enrollment requests are to be removed from the certificate server:
Router# crypto pki server server1 remove all
Related Commands
Command
|
Description
|
crypto pki server info request
|
Displays all outstanding enrollment requests.
|
crypto pki server request pkcs10
To manually add a certificate request to the request database, use the crypto pki server request pkcs10 command in privileged EXEC mode.
crypto pki server cs-label request pkcs10 {url | terminal} [pem]
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
url
|
URL of the file systems from which the certificate server should retrieve the PKCS10 enrollment request and to which it should post the granted certificate. For a list of available options, see Table 20.
Note The request file name should have a .req extension and the granted certificate file name will have a .crt extension (see the URL example in the section "Examples."
|
terminal
|
Certificate requests will be manually pasted from the console terminal, and the granted certificate will be displayed on the console.
|
pem
|
(Optional) Privacy-enhanced mail (PEM) headers are automatically added to the certificate after the certificate is granted.
|
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
Use the crypto pki server request pkcs10 command to manually add either a base64-encoded or PEM-formatted PKCS10 certificate enrollment request. This command is especially useful when the client does not have a network connection with the certificate server so that it can do Simple Certificate Enrollment Protocol (SCEP) enrollment. After the certificate is granted, the certificate will be displayed on the console terminal using base64 encoding if the terminal keyword is specified, or it will be sent to the file system that is specified using the url argument. If the pem keyword is specified, PEM headers are also added to the certificate.
The url argument allows you to specify or change the location in which the certificate server retrieves the new certificate request and posts the granted certificate. Table 20 lists available file system options.
Table 20 File System Options
Location
|
Description
|
cns:
|
Retrieves certificate from Cisco Networking Services (CNS): file system
|
flash:
|
Retrieves certificate from flash: file system
|
ftp:
|
Retrieves certificate from FTP: file system
|
http:
|
Retrieves certificate from HTTP: file system
|
https:
|
Retrieves certificate from Secure HTTP (HTTPS): file system
|
null:
|
Retrieves certificate from null: file system
|
nvram:
|
Retrieves certificate from NVRAM: file system
|
rcp:
|
Retrieves certificate from remote copy protocol (rcp): file system
|
scp:
|
Retrieves certificate from secure copy protocol (scp): file system
|
system:
|
Retrieves certificate from system: file system
|
tftp:
|
Retrieves certificate from TFTP: file system
|
Examples
The following example shows how to manually add a base64-encoded certificate request with PEM boundaries to the request database:
Router# crypto pki server mycs request pkcs10 terminal pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIBdTCB3wIBADA2MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVt
czEPMA0GA1UEAxMGdGVzdCAxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF
EFukc2lCFSHtDJn6HFR2n8rpdhlAYwcs0m68N3iRYHonv847h0/H6utTHVd2qEEo
rNw97jMRZk6BLhVDc05TKGHvUlBlHQWwc/BqpVI8WiHzZdskUH/DUM8kd67Vkjlb
e+FF7WrWT4FIO4vR4rF1V2p3FZ+A29UNc9Pi1s98nQIDAQABoAAwDQYJKoZIhvcN
AQEEBQADgYEAUQCGNzzNJwBOCwmEmG8XEGFSZWDmFlctm8VWvaZYMPOt+vl6iwFk
RmtD1Kg91Vw/qT5FJN8LmGUopOWIrwH4rUWON+TqtRmv2dgsdL5T4dx0sgG5E0s4
T302paxEHiHVRJpe8OD7FJgOvdsKRziCpyD4/Jfb1WnSVQZmvIYAxVQ=
-----END CERTIFICATE REQUEST-----
% Enrollment request pending, reqId=2
Router# crypto pki server mycs grant 2
-----BEGIN CERTIFICATE-----
MIIB/TCCAWagAwIBAgIBAzANBgkqhkiG9w0BAQQFADAPMQ0wCwYDVQQDEwRteWNz
MB4XDTA0MDgyODAxMTcyOVoXDTA1MDgyODAxMTcyOVowNjELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxDzANBgNVBAMTBnRlc3QgMTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAxRBbpHNpQhUh7QyZ+hxUdp/K6XYZQGMHLNJu
vDd4kWB6J7/OO4dPx+rrUx1XdqhBKKzcPe4zEWZOgS4VQ3NOUyhh71JQZR0FsHPw
aqVSPFoh82XbJFB/w1DPJHeu1ZI5W3vhRe1q1k+BSDuL0eKxdVdqdxWfgNvVDXPT
4tbPfJ0CAwEAAaNCMEAwHwYDVR0jBBgwFoAUggWpVwokbUtGIwGZGavh6C8Bq6Uw
HQYDVR0OBBYEFFD3jZ/d960qzCGKwKNtFvq85Xt6MA0GCSqGSIb3DQEBBAUAA4GB
AAE4MqerwbM/nO8BCyZAiDzTqwLGnNvzS4H+u3JCsm0LaxY+E3d8NbSY+HruXWaR
7QyjprDGFd9bftRoqGYuiQkupU13sIHEyf3C2KnXJB6imySvAiuaQrGdSuUSIhBO
Xfh/xdWo3XL1e3vtWiYUa4X6jPUMpn74HoNfB4/gHO7g
-----END CERTIFICATE-----
The following example shows how to retrieve a certificate request and add it to the request database (using the url argument).
Note
The request file name should have a .req extension and the certificate file name a .crt extension.
Router# crypto pki server mycs request pkcs10 tftp://172.69.1.129/router5
% Retrieving Base64 encoded or PEM formatted PKCS10 enrollment request...
Reading file from tftp://172.69.1.129/router5.req
Loading router5.req from 172.69.1.129 (via Ethernet0): !
% Enrollment request pending, reqId=1
Router# crypto pki server mycs grant 1
% Writing out the granted certificate...
!Writing file to tftp://172.69.1.129/router5.crt!
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto pki server grant
|
Grants all or certain SCEP requests.
|
crypto pki server revoke
To revoke a certificate on the basis of its serial number, use the crypto pki server revoke command in privileged EXEC mode.
crypto pki server cs-label revoke certificate-serial-number
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
certificate-serial-number
|
Serial number of the certificate that is to be revoked. The serial number can be a hexadecimal number with the prefix "0x" (for example, 0x4c) or a decimal number (for example, 76).
|
Defaults
Certificates are revoked on the basis of their name.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
When a new certificate revocation list (CRL) is issued, the certificate server obtains the previous CRL, makes the appropriate changes, and resigns the new CRL. A new CRL is issued after a certificate is revoked from the CLI. If this process negatively affects router performance, the crypto pki server revoke command can be used to revoke a list or range of certificates.
Note
A new CRL cannot be issued unless the current CRL is revoked or changed.
Examples
The following examples show how to revoke a certificate with the serial number 76 (for example, 0x4c in hexidecimal) from the certificate server "mycs":
Router# crypto pki server mycs revoke 76
Router# crypto pki server mycs revoke 0x4c
Related Commands
Command
|
Description
|
cdp-url
|
Specifies that CDP should be used in the certificates that are issued by the certificate server.
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto pki trustpoint
To declare the trustpoint that your router should use, use the crypto pki trustpoint command in global configuration mode. To delete all identity information and certificates associated with the trustpoint, use the no form of this command.
crypto pki trustpoint name
no crypto pki trustpoint name
Syntax Description
name
|
Creates a name for the trustpoint. (If you previously declared the trustpoint and just want to update its characteristics, specify the name you previously created.)
|
Defaults
Your router does not recognize any trustpoints until you declare a trustpoint using this command.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.2(8)T
|
The crypto ca trustpoint command was added.
|
12.2(15)T
|
The match certificate subcommand was introduced.
|
12.3(7)T
|
This command replaced the crypto ca trustpoint command. You can still enter the crypto ca trusted-root or crypto ca trustpoint command, but the command will be written in the configuration as "crypto pki trustpoint."
|
Usage Guidelines
Use the crypto pki trustpoint command to declare a trustpoint, which can be a self-signed root CA or a subordinate CA. Issuing the crypto pki trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint using the following subcommands:
•
crl—Queries the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked.
•
default (ca-trustpoint)—Resets the value of ca-trustpoint configuration mode subcommands to their defaults.
•
enrollment—Specifies enrollment parameters (optional).
•
enrollment http-proxy—Accesses the CA by HTTP through the proxy server.
•
match certificate—Associates a certificate-based access control list (ACL) defined with the crypto ca certificate map command.
•
primary—Assigns a specified trustpoint as the primary trustpoint of the router.
•
root—Defines the Trivial File Transfer Protocol (TFTP) to get the CA certificate and specifies both a name for the server and a name for the file that will store the CA certificate.
The following example shows how to declare the CA named "ka" and specify enrollment and CRL parameters:
enrollment url http://kahului:80
The following example shows a certificate-based access control list (ACL) with the label "Group" defined in a crypto pki certificate map command and included in the match certificate subcommand of the crypto pki trustpoint command:
crypto pki certificate map Group 10
crypto pki trustpoint pki1
Related Commands
Command
|
Description
|
crl
|
Queries the CRL to ensure that the certificate of the peer has not been revoked.
|
default (ca-trustpoint)
|
Resets the value of a ca-trustpoint configuration subcommand to its default.
|
enrollment
|
Specifies the enrollment parameters of your CA.
|
enrollment http-proxy
|
Accesses the CA by HTTP through the proxy server.
|
primary
|
Assigns a specified trustpoint as the primary trustpoint of the router.
|
root
|
Obtains the CA certificate via TFTP.
|
crypto provisioning petitioner
To configure a device to become an easy secure device provisioning (SDP) petitioner and enter tti-petitioner configuration mode, use the crypto provisioning petitioner command in global configuration mode. To disable petitioner support, use the no form of this command.
crypto provisioning petitioner
no crypto provisioning petitioner
Syntax Description
This command has no arguments or keywords.
Defaults
A device (with a crypto image) is configured to be an SDP petitioner.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
The crypto wui tti petitioner command was introduced.
|
12.3(14)T
|
This command replaced the crypto wui tti petitioner command.
|
Usage Guidelines
SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
Introducer—A mutually trusted device that introduces the petitioner to the registrar. The introducer can be a device user, such as a system administrator.
•
Petitioner—A new device that is joined to the secure domain.
•
Registrar—A server that authorizes the petitioner. The registrar can be a certificate server.
Note
Because the petitioner is enabled by default on the device, you only have to issue the crypto provisioning petitioner command if you have previously disabled the petitioner or if you want to use an existing trustpoint instead of the automatically generated trustpoint.
Examples
After the SDP exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration at the petitioner.
Note
The petitioner will not have any TTI-specific configuration in the beginning except that the IP HTTP server will be turned on and the Domain Name System (DNS) server needs to be properly configured.)
crypto pki trustpoint tti
! Enrollment url contains the registrar CS details
enrollment url http://pki1-36a.cisco.com:80
Related Commands
Command
|
Description
|
crypto provisioning registrar
|
Configures a device to become an SDP registrar and enters tti-registrar configuration mode.
|
trustpoint (tti-petitioner)
|
Specifies the trustpoint that is to be associated with the TTI exchange between the SDP petitioner and the SDP registrar.
|
crypto provisioning registrar
To configure a device to become an easy secure device provisioning (SDP) registrar and enter tti-registrar configuration mode, use the crypto provisioning registrar command in global configuration mode. To disable registrar support, use the no form of this command.
crypto provisioning registrar
no crypto provisioning registrar
Syntax Description
This command has no arguments or keywords.
Defaults
The registrar is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
The crypto wui tti registrar command was introduced.
|
12.3(14)T
|
This command replaced the crypto wui tti registrar command.
|
Usage Guidelines
SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
Introducer—A mutually trusted device that introduces the petitioner to the registrar. The introducer can be a device user, such as a system administrator.
•
Petitioner—A new device that is joined to the secure domain.
•
Registrar—A server that authorizes the petitioner.
Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.
Examples
The following sample output from the show running-config command verifies that the certificate server "cs1" was configured and associated with the TTI exchange between the registrar and petitioner:
issuer-name CN = ioscs,L = Santa Cruz,C =US
crypto pki trustpoint pki-36a
enrollment url http://pki-36a:80
ip-address FastEthernet0/0
crypto pki trustpoint cs1
crypto pki certificate chain pki-36a
308201D0 30820139 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
34310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E746120
4372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 31333130
39333334 345A170D 30363031 33303039 33333434 5A303A31 38301606 092A8648
86F70D01 09081309 31302E32 332E322E 32301E06 092A8648 86F70D01 09021611
706B692D 3336612E 63697363 6F2E636F 6D305C30 0D06092A 864886F7 0D010101
0500034B 00304802 4100AFFA 8F429618 112FAB9D 01F3352E 59DD3D2D AE67E31D
370AC4DA 619735DF 9CF4EA13 64E4B563 C239C5F0 1578B773 07BED641 A18CA629
191884B5 61B66ECF 4D110203 010001A3 30302E30 0B060355 1D0F0404 030205A0
301F0603 551D2304 18301680 141DA8B1 71652961 3F7D69F0 02903AC3 2BADB137
C6300D06 092A8648 86F70D01 01040500 03818100 67BAE186 327CED31 D642CB39
AD585731 95868683 B950DF14 3BCB155A 2B63CFAD B34B579C 79128AD9 296922E9
4DEDFCAF A7B5A412 AB1FC081 09951CE3 08BFFDD9 9FB1B9DA E9AA42C8 D1049268
C524E58F 11C6BA7F C750320C 03DFB6D4 CBB3E739 C8C76359 CE939A97 B51B3F7F
3FF;A9D82 9CFDB6CF E2503A14 36D0A236 A1CCFEAE
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
34310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E746120
4372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 31333130
39333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 03550406
13025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D0603
55040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3
BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581
E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B
49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80
727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B1
71652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8
B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 01010405
00038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F59765
3463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E03
9DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A0
F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C10
crypto pki certificate chain cs1
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
34310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E746120
4372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 31333130
39333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 03550406
13025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D0603
55040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3
BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581
E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B
49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80
727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B1
71652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8
B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 01010405
00038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F59765
3463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E03
9DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A02;
F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C10
crypto provisioning registrar
crypto ipsec transform-set test_transformset esp-3des
crypto map test_cryptomap 10 ipsec-isakmp
set security-association lifetime seconds 1800
set transform-set test_transformset
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto provisioning petitioner
|
Configures a device to become an SDP petitioner and enters tti-petitioner configuration mode.
|
crypto wui tti petitioner
Note
This command was replaced by the crypto provisioning petitioner command effective with Cisco IOS Release 12.3(14)T.
To configure a device to become an easy secure device deployment (EzSDD) petitioner and enter tti-petitioner configuration mode, use the crypto wui tti petitioner command in global configuration mode. To disable petitioner support, use the no form of this command.
crypto wui tti petitioner
no crypto wui tti petitioner
Syntax Description
This command has no arguments or keywords.
Defaults
A device (with a crypto image) is configured to be an EzSDD petitioner.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
EzSDD uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
Introducer—A mutually trusted device that introduces the petitioner to the registrar. The introducer can be a device user, such as a system administrator.
•
Petitioner—A new device that is joined to the secure domain.
•
Registrar—A server that authorizes the petitioner. The registrar can be a certificate server.
Note
Because the petitioner is enabled by default on the device, you only have to issue the crypto wui tti petitioner command if you have previously disabled the petitioner or if you want to use an existing trustpoint instead of the automatically generated trustpoint.
Examples
After the EzSDD exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration at the petitioner. (Note that petitioner will not have any TTI-specific configuration in the beginning except that the http server will be turned on and the Domain Name System (DNS) server needs to be properly configured.)
crypto pki trustpoint tti
! Enrollment url contains the registrar CS details
enrollment url http://pki1-36a.cisco.com:80
Related Commands
Command
|
Description
|
crypto wui tti registrar
|
Configures a device to become an EzSDD registrar and enters tti-registrar configuration mode.
|
trustpoint (tti-petitioner)
|
Specifies the trustpoint that is to be associated with the TTI exchange between the EzSDD petitioner and the EzSDD registrar.
|
crypto wui tti registrar
Note
This command was replaced by the crypto provisioning registrar command effective with Cisco IOS Release 12.3(14)T.
To configure a device to become an easy secure device deployment (EzSDD) registrar and enter tti-registrar configuration mode, use the crypto wui tti registrar command in global configuration mode. To disable registrar support, use the no form of this command.
crypto wui tti registrar
no crypto wui tti registrar
Syntax Description
This command has no arguments or keywords.
Defaults
The registrar is not enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
EzSDD uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
Introducer—A mutually trusted device that introduces the petitioner to the registrar. The introducer can be a device user, such as a system administrator.
•
Petitioner—A new device that is joined to the secure domain.
•
Registrar—A server that authorizes the petitioner.
Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.
Examples
The following sample output from the show running-config command verifies that the certificate server "cs1" was configured and associated with the TTI exchange between the registrar and petitioner:
issuer-name CN = ioscs,L = Santa Cruz,C =US
crypto pki trustpoint pki-36a
enrollment url http://pki-36a:80
ip-address FastEthernet0/0
crypto pki trustpoint cs1
crypto pki certificate chain pki-36a
308201D0 30820139 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
34310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E746120
4372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 31333130
39333334 345A170D 30363031 33303039 33333434 5A303A31 38301606 092A8648
86F70D01 09081309 31302E32 332E322E 32301E06 092A8648 86F70D01 09021611
706B692D 3336612E 63697363 6F2E636F 6D305C30 0D06092A 864886F7 0D010101
0500034B 00304802 4100AFFA 8F429618 112FAB9D 01F3352E 59DD3D2D AE67E31D
370AC4DA 619735DF 9CF4EA13 64E4B563 C239C5F0 1578B773 07BED641 A18CA629
191884B5 61B66ECF 4D110203 010001A3 30302E30 0B060355 1D0F0404 030205A0
301F0603 551D2304 18301680 141DA8B1 71652961 3F7D69F0 02903AC3 2BADB137
C6300D06 092A8648 86F70D01 01040500 03818100 67BAE186 327CED31 D642CB39
AD585731 95868683 B950DF14 3BCB155A 2B63CFAD B34B579C 79128AD9 296922E9
4DEDFCAF A7B5A412 AB1FC081 09951CE3 08BFFDD9 9FB1B9DA E9AA42C8 D1049268
C524E58F 11C6BA7F C750320C 03DFB6D4 CBB3E739 C8C76359 CE939A97 B51B3F7F
3FF;A9D82 9CFDB6CF E2503A14 36D0A236 A1CCFEAE
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
34310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E746120
4372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 31333130
39333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 03550406
13025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D0603
55040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3
BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581
E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B
49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80
727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B1
71652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8
B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 01010405
00038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F59765
3463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E03
9DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A0
F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C10
crypto pki certificate chain cs1
30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
34310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E746120
4372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 31333130
39333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 03550406
13025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D0603
55040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D
00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3
BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581
E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B
49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80
727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B1
71652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8
B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 01010405
00038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F59765
3463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E03
9DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A02;
F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C10
crypto ipsec transform-set test_transformset esp-3des
crypto map test_cryptomap 10 ipsec-isakmp
set security-association lifetime seconds 1800
set transform-set test_transformset
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto wui tti petitioner
|
Configures a device to become an EzSDD petitioner and enters tti-petitioner configuration mode.
|
ctype
To preauthenticate calls on the basis of the call type, use the ctype command in AAA preauthentication configuration mode. To remove the ctype command from your configuration, use the no form of this command.
ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
Syntax Description
if-avail
|
(Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.
|
required
|
(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.
|
accept-stop
|
(Optional) Prevents subsequent preauthentication elements such as clid or dnis from being tried once preauthentication has succeeded for a call element.
|
password password
|
(Optional) Defines the password for the preauthentication element.
|
digital
|
(Optional) Specifies "digital" as the call type for preauthentication.
|
speech
|
(Optional) Specifies "speech" as the call type for preauthentication.
|
v.110
|
(Optional) Specifies "v.110" as the call type for preauthentication.
|
v.120
|
(Optional) Specifies "v.120" as the call type for preauthentication.
|
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Release
|
Modification
|
12.1(2)T
|
This command was introduced.
|
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 21 shows the call types that you may use in the preauthentication profile.
Table 21 Preauthentication Call Types
Call Type String
|
ISDN Bearer Capabilities
|
digital
|
Unrestricted digital, restricted digital.
|
speech
|
Speech, 3.1 kHz audio, 7 kHz audio.
|
v.110
|
Anything with V.110 user information layer.
|
v.120
|
Anything with V.120 user information layer.
|
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the call type:
Related Commands
Command
|
Description
|
clid
|
Preauthenticates calls on the basis of the CLID number.
|
dnis (RADIUS)
|
Preauthenticates calls on the basis of the DNIS number.
|
dnis bypass (AAA preauthentication configuration)
|
Specifies a group of DNIS numbers that will be bypassed for preauthentication.
|
group (RADIUS)
|
Specifies the AAA RADIUS server group to use for preauthentication.
|