Table Of Contents
crypto isakmp client configuration address-pool local
crypto isakmp client configuration browser-proxy
crypto isakmp client configuration group
crypto map client authentication list
crypto map client configuration address
crypto map isakmp authorization list
crypto mib ipsec flowmib history failure size
crypto mib ipsec flowmib history tunnel size
crypto pki certificate query (ca-trustpoint)
crypto pki certificate storage
crypto isakmp client configuration address-pool local
To configure the IP address local pool to reference Internet Key Exchange (IKE) on your router, use the crypto isakmp client configuration address-pool local command in global configuration mode. To restore the default value, use the no form of this command.
crypto isakmp client configuration address-pool local pool-name
no crypto isakmp client configuration address-pool local
Syntax Description
Defaults
IP address local pools do not reference IKE.
Command Modes
Global configuration
Command History
Examples
The following example references IP address local pools to IKE on your router, with "ire" as the pool-name:
crypto isakmp client configuration address-pool local ireRelated Commands
ip local pool
Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
crypto isakmp client configuration browser-proxy
To configure browser-proxy parameters for an Easy VPN remote device and to enter ISAKMP browser proxy configuration mode, use the crypto isakmp client configuration browser-proxy command in global configuration mode. To disable the browser-proxy parameters, use the no form of this command.
crypto isakmp client configuration browser-proxy {browser-proxy-name}
no crypto isakmp client configuration browser-proxy {browser-proxy-name}
Syntax Description
Command Default
Browser-proxy parameters are not set.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
While specifying the proxy server, the proxy IP address and port number are separated with a colon. The proxy exception list is a semicolon-delimited string of IP addresses.
After enabling this command, you may specify the following subcommand:
•
proxy—Configures proxy parameters for your Easy VPN remote device (see the proxy command for more information about this command and the acceptable parameters).
Examples
The following example shows various browser-proxy parameter settings for a browser proxy named "bproxy":
crypto isakmp client configuration browser-proxy bproxyproxy auto-detectcrypto isakmp client configuration browser-proxy bproxyproxy nonecrypto isakmp client configuration browser-proxy bproxyproxy server 10.1.1.1:2000proxy exception-list 10.2.2.*,www.*orgproxy by-pass-localRelated Commands
crypto isakmp client configuration group
To specify to which group a policy profile will be defined and to enter crypto ISAKMP group configuration mode, use the crypto isakmp client configuration group command in global configuration mode. To remove this command and all associated subcommands from your configuration, use the no form of this command.
crypto isakmp client configuration group {group-name | default}
no crypto isakmp client configuration group
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the crypto isakmp client configuration group command to specify group policy information that needs to be defined or changed. You may wish to change the group policy on your router if you decide to connect to the client using a group ID that does not match the group-name argument.
After enabling this command, which puts you in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode, you can specify characteristics for the group policy using the following commands:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Output for the crypto isakmp client configuration group command (using the key subcommand) will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp client configuration group key testAn output example for a type 6 encrypted preshared key would be as follows:
crypto isakmp client configuration group
key 6 JK_JHZPeJV_XFZTKCQFYAABSession Monitoring and Limiting for Easy VPN Clients
It is possible to mimic the functionality provided by some RADIUS servers for limiting the number of connections to a specific server group and also for limiting the number of simultaneous logins for users in that group.
To limit the number of connections to a specific server group, use the max-users subcommand. To limit the number of simultaneous logins for users in the server group, use the max-logins subcommand.
The following example shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:
ipsec:max-users=1000ipsec:max-logins=1The max-users and max-logins commands can be enabled together or individually to control the usage of resources by any groups or individuals.
If you use a RADIUS server, such as a CiscoSecure access control server (ACS), it is recommended that you enable this session control on the RADIUS server if the functionality is provided. In this way, usage can be controlled across a number of servers by one central repository. When enabling this feature on the router itself, only connections to groups on that specific device are monitored, and load-sharing scenarios are not accurately accounted for.
Examples
The following example shows how to define group policy information for Mode Configuration push. In this example, the first group name is "cisco" and the second group name is "default." Thus, the default policy will be enforced for all users who do not offer a group name that matches "cisco."
crypto isakmp client configuration group ciscokey ciscodns 10.2.2.2 10.2.2.3wins 10.6.6.6domain cisco.compool fredacl 199!crypto isakmp client configuration group defaultkey ciscodns 10.2.2.2 10.3.2.3pool fredacl 199Related Commands
crypto isakmp client firewall
To define the Central Policy Push (CPP) firewall policypush on a server, use the crypto isakmp client firewall command in global configuration mode. To remove the CPP that was configured, use the no form of this command.
crypto isakmp client firewall {policy-name} {required | optional} {firewall-type}
nocrypto isakmp client firewall {policy-name} {required | optional} {firewall-type}
Syntax Description
policy-name
Uniquely identifies a policy. A policy name can be associated with an Easy VPN client group configuration on the server (local group configuration) or on the authentication, authorization, and accounting (AAA) server.
required
Policy is mandatory. If the CPP policy is defined as mandatory and is included in the Easy VPN server configuration, the tunnel setup is allowed only if the Cisco VPN Client confirms this policy. If the policy is not confirmed, the tunnel is terminated.
optional
Policy is optional. If the CPP policy is defined as optional and is included in the Easy VPN server configuration, the tunnel setup continues even if the Cisco VPN Client does not confirm the defined policy.
firewall-type
Type of firewall. See Table 14 for a list of acceptable firewall types.
Command Default
CPP is not configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Table 14 lists firewall types that may be used for the firewall-type argument.
Table 14 Acceptable Firewall Types
Cisco-Integrated-firewall (central-policy-push)
Cisco-Security-Agent (check-presence)
Zonelabs-Zonealarm (both)
Zonelabs-ZonealarmPro (both)
Examples
The following example defines the CPP policy name as "hw-client-g-cpp." The "Cisco-Security-Agent" policy type is mandatory. The CPP inbound list is "192" and the outbound list is "sample":
crypto isakmp client firewall hw-client-g-cpp required Cisco-Security-Agentpolicy central-policy-push access-list in 192policy central-policy-push access-list out samplepolicy check-presenceRelated Commands
crypto isakmp enable
To globally enable Internet Key Exchange (IKE) for your peer router, use the crypto isakmp enable command in global configuration mode. To disable IKE for the peer, use the no form of this command.
crypto isakmp enable
no crypto isakmp enable
Syntax Description
This command has no arguments or keywords.
Defaults
IKE is enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but is enabled globally for all interfaces at the router.
If you do not want IKE to be used for your IPSec implementation, you can disable IKE for all your IP Security peers. If you disable IKE for one peer, you must disable it for all IPSec peers.
If you disable IKE, you will have to make these concessions at the peers:
•
•
•
•
•
Note
Examples
The following example disables IKE at one peer. (The same command should be issued for all remote peers.)
no crypto isakmp enablecrypto isakmp identity
To define the identity used by the router when participating in the Internet Key Exchange (IKE) protocol, use the crypto isakmp identity command in global configuration mode. Set an Internet Security Association Key Management Protocol (ISAKMP) identity whenever you specify preshared keys. To reset the ISAKMP identity to the default value (address), use the no form of this command.
crypto isakmp identity {address | hostname}
no crypto isakmp identity
Syntax Description
Command Default
The IP address is used for the ISAKMP identity.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify an ISAKMP identity either by IP address or by host name.
The address keyword is typically used when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE negotiations, and the IP address is known.
The hostname keyword should be used if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface's IP address is unknown (such as with dynamically assigned IP addresses).
As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
Examples
The following example uses preshared keys at two peers and sets both their ISAKMP identities to IP address.
At the local peer (at 10.0.0.1) the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 192.168.1.33At the remote peer (at 192.168.1.33) the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity addresscrypto isakmp key sharedkeystring address 10.0.0.1
Note
The following example uses preshared keys at two peers and sets both their ISAKMP identities to host name.
At the local peer the ISAKMP identity is set and the preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname RemoteRouter.example.comip host RemoteRouter.example.com 192.168.0.1At the remote peer the ISAKMP identity is set and the same preshared key is specified.
crypto isakmp identity hostnamecrypto isakmp key sharedkeystring hostname LocalRouter.example.comip host LocalRouter.example.com 10.0.0.1 10.0.0.2In the above example, host names are used for the peers' identities because the local peer has two interfaces that might be used during an IKE negotiation.
In the above example the IP addresses are also mapped to the host names; this mapping is not necessary if the routers' host names are already mapped in DNS.
Related Commands
crypto ipsec security-association lifetime
Specifies the authentication method within an IKE policy.
crypto isakmp key
Configures a preshared authentication key.
crypto isakmp keepalive
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the crypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this command.
crypto isakmp keepalive seconds [retries] [periodic | on-demand]
no crypto isakmp keepalive seconds [retries] [periodic | on-demand]
Syntax Description
Command Default
No DPD messages are sent.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the crypto isakmp keepalive command to enable the gateway to send DPD messages to the peer. DPD is a keepalives scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer.
Use the periodic keyword to configure your router so that DPD messages are "forced" at regular intervals. This forced approach results in earlier detection of dead peers than with the on-demand approach. If you do not configure the periodic option, the router defaults to the on-demand approach.
Note
Examples
The following example shows how to configure DPD messages to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp keepalive 60 5The following example shows that periodic DPD messages are to be sent at intervals of 10 seconds:
crypto isakmp keepalive 10 periodicThe following example shows that the above periodic behavior is being disabled:
crypto isakmp keepalive 10 on-demandRelated Commands
crypto isakmp key
To configure a preshared authentication key, use the crypto isakmp key command in global configuration mode. To delete a preshared authentication key, use the no form of this command.
crypto isakmp key enc-type-digit {keystring} {address peer-address [mask] | ipv6 {ipv6-address/ipv6-prefix} | hostname hostname} [no-xauth]
no crypto isakmp key enc-type-digit {keystring} {address peer-address [mask] | ipv6 {ipv6-address/ipv6-prefix} | hostname hostname} [no-xauth]
Syntax Description
Command Default
There is no default preshared authentication key.
Command Modes
Global configuration
Command History
Usage Guidelines
You must use this command to configure a key whenever you specify preshared keys in an Internet Key Exchange (IKE) policy; you must enable this command at both peers.
If an IKE policy includes preshared keys as the authentication method, these preshared keys must be configured at both peers—otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The crypto isakmp key command is the second task required to configure the preshared keys at the peers. (The first task is accomplished using the crypto isakmp identity command.)
Use the address keyword if the remote peer ISAKMP identity was set with its IP address.
With the address keyword, you can also use the mask argument to indicate the remote peer ISAKMP identity will be established using the preshared key only. If the mask argument is used, preshared keys are no longer restricted between two users.
Note
Preshared keys no longer work when the hostname keyword is sent as the identity; thus, the hostname keyword as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.
If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.
Use the no-xauth keyword to prevent the router from prompting the peer for Xauth information (username and password). This keyword disables Xauth for static IPSec peers. The no-xauth keyword should be enabled when configuring the preshared key for router-to-router IPSec—not VPN-client-to-Cisco-IOS IPSec.
Output from the crypto isakmp key command will show that the preshared key is either encrypted or unencrypted. An output example for an unencrypted preshared key would be as follows:
crypto isakmp key test123 address 10.1.0.1An output example for a type 6 encrypted preshared key would be as follows:
crypto isakmp key 6 RHZE[JACMUI\bcbTdELISAAB address 10.1.0.1Examples
In the following example, the remote peer "RemoteRouter" specifies an ISAKMP identity by address:
crypto isakmp identity addressNow, the preshared key must be specified at each peer.
In the following example, the local peer specifies the preshared key and designates the remote peer by its IP address and a mask:
crypto isakmp key 0 sharedkeystring address 172.21.230.33 255.255.255.255In the following example for IPv6, the peer specifies the preshared key and designates the remote peer with an IPv6 address:
crypto isakmp key 0 my-preshare-key-0 address ipv6 3ffe:1001::2/128Related Commands
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}
no crypto isakmp peer {address {ipv4-address | ipv6 ipv6-address} | hostname fqdn-hostname}
Syntax Description
Command Default
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the Internet Security Association and Key Management Protocol (ISAKMP) peer policy for IPSec peers.
Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from an AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer ip-address 209.165.200.230 vrf vpn1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
crypto isakmp policy
To define an Internet Key Exchange (IKE) policy, use the crypto isakmp policy command in global configuration mode. IKE policies define a set of parameters to be used during the IKE negotiation. To delete an IKE policy, use the no form of this command.
crypto isakmp policy priority
no crypto isakmp policy
Syntax Description
priority
Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.
Command Default
If you do not configure any IKE policies, your router will use the default policy, which is always set to the lowest priority and which contains the default value of each parameter.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)
This command invokes the Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, some of the commands for which you can specify parameters are as follows:
•
•
•
•
•
If you do not specify any given parameter, the default value will be used for that parameter.
To exit the config-isakmp command mode, type exit.
You can configure multiple IKE policies on each peer participating in IPSec. When the IKE negotiation begins, it tries to find a common policy configured on both peers, starting with the highest priority policies as specified on the remote peer.
Examples
The following example configures two policies for the peer:
crypto isakmp policy 15hash md5authentication rsa-siggroup 2lifetime 5000crypto isakmp policy 20authentication pre-sharelifetime 10000The above configuration results in the following policies:
Router# show crypto isakmp policyProtection suite priority 15encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Message Digest 5authentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #2 (1024 bit)lifetime: 5000 seconds, no volume limitProtection suite priority 20encryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: preshared KeyDiffie-Hellman Group: #1 (768 bit)lifetime: 10000 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys)hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman Group: #1 (768 bit)lifetime: 86400 seconds, no volume limitRelated Commands
crypto isakmp profile
To define an Internet Security Association and Key Management Protocol (ISAKMP) profile and to audit IP security (IPsec) user sessions, use the crypto isakmp profile command in global configuration mode. To delete a crypto ISAKMP profile, use the no form of this command.
crypto isakmp profile profile-name [accounting aaa-list]
no crypto isakmp profile profile-name [accounting aaa-list]
Syntax Description
profile-name
Name of the user profile. To associate a user profile with the RADIUS server, the user profile name must be identified.
accounting aaa-list
(Optional) Name of a client accounting list.
Command Defaults
No profile exists if the command is not used.
Command Modes
Global configuration
Command History
Usage Guidelines
Defining an ISAKMP Profile
An ISAKMP profile can be viewed as a repository of Phase 1 and Phase 1.5 commands for a set of peers. The Phase 1 configuration includes commands to configure such things as keepalive, identity matching, and the authorization list. The Phase 1.5 configuration includes commands to configure such things as extended authentication (Xauth) and mode configuration.
The peers are mapped to an ISAKMP profile when their identities are matched (as given in the identification [ID] payload of the Internet Key Exchange [IKE]) against the identities defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid. Also, there must be at least one match identity command defined in the ISAKMP profile for it to be complete.
After enabling this command and entering ISAKMP profile configuration mode, you can configure the following commands:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Auditing IPSec User Sessions
Use this command to audit multiple user sessions that are terminating on the IPSec gateway.
Note
Dynamic Virtual Tunnel Interfaces
Support for dynamic virtual tunnel interfaces allows for the virtual profile to be mapped into a specified virtual template.
Examples
ISAKAMP Profile Matching Peer Identities Example
The following example shows how to define an ISAKMP profile and match the peer identities:
crypto isakmp profile vpnprofilematch identity address 10.76.11.53ISAKAMP Profile with Accounting Example
The following accounting example shows that an ISAKMP profile is configured:
aaa new-model!!aaa authentication login cisco-client group radiusaaa authorization network cisco-client group radiusaaa accounting network acc start-stop broadcast group radiusaaa session-id common!crypto isakmp profile ciscovrf ciscomatch identity group cclientclient authentication list cisco-clientisakmp authorization list cisco-clientclient configuration address respondaccounting acc!crypto dynamic-map dynamic 1set transform-set aswanset isakmp-profile ciscoreverse-route!!radius-server host 172.16.1.4 auth-port 1645 acct-port 1646radius-server key nsiteRelated Commands
crypto key generate rsa
To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
Syntax Description
Command Default
RSA key pairs do not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Note
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 15 for sample times) and takes longer to use.
Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.
Note
The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.
The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.
Specifying a Storage Location for RSA Keys
When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.
Specifying a Device for RSA Key Generation
As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.
RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:
% Error in generating keys:no available resourcesKey deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from non-token storage locations when the write memory or similar command is issued.)
For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide , Release 12.4T. For information on using on-token RSA credentials, see "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.
Examples
The following example generates a general usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:
Router(config)# crypto key generate rsa on usbtoken0 label ms2 modulus 1024The name for the keys will be: ms2% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be on-token, non-exportable...Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK]Jan 7 02:44:09.623: crypto_engine: Create signatureJan 7 02:44:10.467: crypto_engine: Verify signatureJan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec)Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)Now, the on-token keys labeled "ms2" may be used for enrollment.
The following example generates special-usage RSA keys:
Router(config)# crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys:
Note
Router(config)# crypto key generate rsa general-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-keys exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":
crypto isakmp peer ip-address 209.165.200.230 vrf vpn1Related Commands
crypto key pubkey-chain rsa
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa command in global configuration mode.
crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router.
Examples
The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# addressed-key 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCRouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882ERouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
•
Note
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the certificate of the router be revoked. The administrator then deletes the certificate of the router from the configuration.
crypto key zeroize rsacrypto ca certificate chainno certificateRelated Commands
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Command Default
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration
Command History
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeyspre-shared-key address 10.72.23.11 key vpnsecretcrypto isakmp profile vpnprofilekeyring vpnkeysRelated Commands
crypto logging ezvpn
To enable Easy VPN syslog messages on a server, use the crypto logging ezvpn command in global configuration mode. To disable syslog messages on the server, use the no form of this command.
crypto logging ezvpn [group group-name]
no crypto logging ezvpn [group group-name]
Syntax Description
Command Default
Syslog messages are not enabled.
Command Modes
Global configuration (config)
Command History
Examples
The following configuration shows that syslog messages are to be displayed for group_1.
crypto logging ezvpn group group_1The following is an example of a typical Easy VPN syslog message:
timestamp: %CRYPTO-6-VPN_TUNNEL_STATUS: (Server) <event message> User=<username> Group=<groupname> Client_public_addr=<ip_addr> Server_public_addr=<ip addr>The following is an example of an authentication-passed event Easy VPN syslog message:
Jul 25 23:33:06.847: %CRYPTO-6-VPN_TUNNEL_STATUS: (Server) Authentication PASSED User=blue Group=Cisco1760group Client_public_addr=10.20.20.1 Server_public_addr=10.20.20.2The following is an example of a "Group does not exist" Easy VPN syslog message:
*Jun 30 18:02:58.107: %CRYPTO-6-VPN_TUNNEL_STATUS: Group: group_1 does not existcrypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
crypto map map-name [client-accounting-list aaalist]
crypto map map-name seq-num [gdoi]
no crypto map map-name seq-num
Note
Syntax Description
Command Default
No crypto maps exist.
Peer discovery is not enabled.Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
•
•
•
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps do you want it to be evaluated against the dynamic map set.
If a crypto map entry references a dynamic crypto map set, make it the lowest priority map entry by giving the it the highest seq-num value of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the L2TP Security feature. The relevant SAs in the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualmatch address 102set transform-set somesetset peer 10.0.0.5set session-key inbound ah 256 98765432109876549876543210987654set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedcset session-key inbound esp 256 cipher 0123456789012345set session-key outbound esp 256 cipher abcdefabcdefabcdThe following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discoverThe following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tpThe following example configures a crypto map for a GDOI group member:
crypto map diffint 10 gdoiset group diffintRelated Commands
crypto map (interface IPSec)
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name [redundancy standby-group-name[stateful]]
no crypto map [map-name] [redundancy standby-group-name [stateful]]
Syntax Description
Defaults
No crypto maps are assigned to interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry that has the lowest sequence number is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
The standby name must be configured on all devices in the standby group, and the standby address must be configured on at least one member of the group. If the standby name is removed from the router, the IPSec security associations (SAs) will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Note
The stateful keyword enables stateful failover of IKE and IPSec sessions. Stateful Switchover (SSO) must also be configured for IPSec stateful failover to operate correctly.
Examples
The following example shows how all remote Virtual Private Network (VPN) gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of "mymap" and, at the same time, ensures that stateless HSRP failover is facilitated between an active and standby device that belongs to the same standby group, "group1."
Reverse route injection (RRI) is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If a failover occurs, routes are deleted on the former active device and created on the new active device.
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsideinterface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out statefulRelated Commands
crypto map client authentication list
To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name client authentication list list-name
no crypto map map-name client authentication list list-name
Syntax Description
Defaults
Xauth is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Before configuring Xauth, you should complete the following tasks:
•
•
•
•
After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface.
Examples
The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistThe following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistcrypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamicRelated Commands
crypto map client configuration address
To configure IKE Mode Configuration on your router, use the crypto map client configuration address command in global configuration mode. To disable IKE Mode Configuration, use the no form of this command.
crypto map tag client configuration address [initiate | respond]
no crypto map tag client configuration address
Syntax Description
Defaults
IKE Mode Configuration is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Examples
The following examples configure IKE Mode Configuration on your router:
crypto map dyn client configuration address initiatecrypto map dyn client configuration address respondRelated Commands
crypto map (global)
Creates or modifies a crypto map entry and enters the crypto map configuration mode
crypto map isakmp authorization list
To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name isakmp authorization list list-name
no crypto map map-name isakmp authorization list list-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto map client authorization list command to enable key lookup from a AAA server.
Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key.
Before configuring the crypto map client authorization list command, you should perform the following tasks:
•
•
•
•
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface.
Examples
The following example shows how to configure the crypto map client authorization list command:
crypto map ikessaaamap isakmp authorization list ikessaaalistcrypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadynRelated Commands
crypto map local-address
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler.
This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces.
If applying the same crypto map set to more than one interface, the default behavior is as follows:
•
•
However, if you use a local-address for that crypto map set, it has multiple effects:
•
•
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down.
Examples
The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0.
interface S0crypto map mymapinterface S1crypto map mymapcrypto map mymap local-address loopback0Related Commands
crypto map (interface IPSec)
Applies a previously defined crypto map set to an interface.
crypto mib ipsec flowmib history failure size
To change the size of the IP Security (IPSec) MIB failure history table, use the crypto mib ipsec flowmib history failure size command in global configuration mode.
crypto mib ipsec flowmib history failure size number
Syntax Description
Defaults
If this command is not used, the default table size is 200.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto mib ipsec flowmib history failure size command to change the size of a failure history table. If you do not configure the size of a failure history table, the default of 200 will be implemented.
A failure history table stores the reason for tunnel failure and the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, every failure does not correspond to a tunnel. Supported setup failures are recorded in the failure table, but a history table is not associated because a tunnel was never set up.
Examples
The following example shows the size of a failure history table configured to be 140:
crypto mib ipsec flowmib history failure size 140Related Commands
crypto mib ipsec flowmib history tunnel size
To change the size of the IP Security (IPSec) tunnel history table, use the crypto mib ipsec flowmib history tunnel size command in global configuration mode.
crypto mib ipsec flowmib history tunnel size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto mib ipsec flowmib history tunnel size command to change the size of a tunnel history table. If you do not configure the size of a tunnel history table, the default of 200 will be implemented.
A tunnel history table stores the attribute and statistics records, which contain the attributes and the last snapshot of the traffic statistics of a given tunnel. A tunnel history table accompanies a failure table, so you can display the complete history of a given tunnel. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
As an optimization, a tunnel endpoint table can be combined with a tunnel history table. However, if a tunnel endpoint table is combined, all three tables (the failure history table, tunnel history table, and the endpoint table) must remain the same size even though the MIB allows each table to be distinct.
Examples
The following example shows the size of a tunnel history table configured to be 130:
crypto mib ipsec flowmib history tunnel size 130Related Commands
crypto pki authenticate
To authenticate the certification authority (by getting the certificate of the CA), use the crypto pki authenticate command in global configuration mode.
crypto pki authenticate name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto pki authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
Note
set aggressive-mode client-endpoint user-fqdn user@cisco.com
If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.Examples
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)#crypto pki authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123Do you accept this certificate? [yes/no] y#Related Commands
crypto pki cert validate
To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, use the crypto pki cert validate command in global configuration mode.
crypto pki cert validate trustpoint
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto pki cert validate command validates the router's own certificate for a given trustpoint. Use this command as a sanity check after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certification authority (CA), not expired, and so on.
Examples
The following examples show the possible output from the crypto pki cert validate command:
Router(config)# crypto pki cert validate kaValidation Failed: trustpoint not found for kaRouter(config)# crypto pki cert validate kaValidation Failed: can't get local certificate chainRouter(config)# crypto pki cert validate kaCertificate chain has 2 certificates.Certificate chain for ka is validRouter(config)# crypto pki cert validate kaCertificate chain has 2 certificates.Validation Error: no certs on chainRouter(config)# crypto pki cert validate kaCertificate chain has 2 certificates.Validation Error: unspecified errorRelated Commands
crypto pki trustpoint
Declares the certification authority that the router should use.
show crypto pki trustpoints
Displays the trustpoints that are configured in the router.
crypto pki certificate chain
To enter the certificate chain configuration mode, use the crypto pki certificate chain command in global configuration mode.
crypto pki certificate chain name
Syntax Description
name
Specifies the name of the certificate authority (CA). The name must match that which was declared for the CA using the crypto pki trustpoint command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
You need to be in certificate chain configuration mode to delete certificates.
Examples
The following example deletes the router's certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.
Router# show crypto pki certificatesCertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 0123456789ABCDEF0123456789ABCDEFKey Usage: General PurposeCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetRouter# configure terminalRouter(config)# crypto pki certificate chain mycaRouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF% Are you sure you want to remove the certificate [yes/no]? yes% Be sure to ask the CA administrator to revoke this certificate.Router(config-cert-chain)# exitThe following example shows a certificate chain with an active CA certificate and a shadow, or rollover, certificate:
Router# configure terminalRouter(config)# crypto pki certificate chain mycacertificate 06certificate ca 01certificate rollover 0B! This is the peer's shadow PKI certificate.certificate rollover ca 0A! This is the CA shadow PKI certificateThis example shows how the certificate chain is rewritten when rollover actually happens:
Router# configure terminalRouter(config)# crypto pki certificate chain mycacertificate 0Bcertificate ca 0ARelated Commands
crypto pki certificate map
To define certificate-based access control lists (ACLs), use the crypto pki certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.
crypto pki certificate map label sequence-number
no crypto pki certificate map label sequence-number
Syntax Description
Defaults
No default behavior or values
Command Modes
Ca-certificate-map configuration
Command History
Usage Guidelines
Issuing this command places the router in certificate authority (CA) certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:
field-name match-criteria match-value
The field-name field in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The name-field is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.
•
•
•
•
•
•
•
•
Note
The match-criteria field in the example is one of the following logical operators:
•
•
•
•
•
•
The match-value field is a case-insensitive string or a date.
Examples
The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Company to an entity within the company.com domain. The label is Company, and the sequence is 10.
crypto pki certificate map Company 10issuer-name co Companyunstructured-subject-name co company.comThe following example accepts any certificate issued by Company for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string "DIAL" can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.
crypto pki certificate map Group 10issuer-name co Companysubject-name co DIALcrypto pki certificate map Group 20issuer-name co Companysubject-name co ou=WANCase is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)
If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, "ou=WAN,o=Company" will not match a certificate with the string "ou=WAN,ou=Engineering,o=Company" because the "ou=Engineering" string separates the two desired component identifiers.
To match both "ou=WAN" and "o=Company" in a certificate while ignoring other component identifiers, you could use this certificate map:
crypto pki certificate map Group 10subject-name co ou=WANsubject-name co o=CompanyAny space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore "o=Company" in the proceeding example will match "o = Company," "o =Company," and so on.
The following example shows a CA map file used to certificate serial number session control:
crypto pki trustpoint CA1enrollment url http://CA1ip-address FastEthernet0/0crl query ldap://CA1_ldaprevocation-check crlmatch certificate crl-map1crypto pki certificate map crl-map1 1serial-number ne 489dRelated Commands
crypto pki certificate query (ca-trustpoint)
To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto pki certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.
crypto pki certificate query
no crypto pki certificate query
Syntax Description
This command has no arguments or keywords.
Defaults
CA trustpoints are stored locally in the router's NVRAM.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Normally, certain certificates are stored locally in the router's NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.
The crypto pki certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.
Before you can configure this command, you must enable the crypto pki trustpoint command, which puts you in ca-trustpoint configuration mode.
Note
Examples
The following example shows how to prevent certificates and certificate revocation lists (CRLs) from being stored locally on the router; instead, they are retrieved from the "ka" trustpoint when needed.
crypto pki trustpoint ka...crypto pki certificate queryRelated Commands
crypto pki certificate storage
To specify the local storage location for public key infrastructure (PKI) credentials, use the crypto pki certificate storage command in global configuration mode. To restore the default behavior, that is to store PKI credentials to NVRAM, use the no form of this command.
crypto pki certificate storage location-name
no crypto pki certificate storage
Syntax Description
Defaults
NVRAM is the default local storage location if this command is not issued.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
All Cisco platforms support NVRAM and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, USB flash, or USB token.
During run time, you can specify what active local storage device you would like to use to store PKI credentials. You must have the following system requirements before you can specify PKI credentials local storage location:
•
•
•
•
When using a local storage device to store PKI data, the following restrictions are applicable:
•
•
•
Examples
The following configuration example shows how to store certificates to the certs subdirectory. The certs subdirectory does not exist and is automatically created.
Router# dir nvram:114 -rw- 4687 <no date> startup-config115 ---- 5545 <no date> private-config116 -rw- 4687 <no date> underlying-config1 ---- 34 <no date> persistent-data3 -rw- 707 <no date> ioscaroot#7401CA.cer9 -rw- 863 <no date> msca-root#826E.cer10 -rw- 759 <no date> msca-root#1BA8CA.cer11 -rw- 863 <no date> msca-root#75B8.cer24 -rw- 1149 <no date> storagename#6500CA.cer26 -rw- 863 <no date> msca-root#83EE.cer129016 bytes total (92108 bytes free)Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# crypto pki certificate storage disk0:/certsRequested directory does not exist -- createdCertificates will be stored in disk0:/certs/Router(config)# endRouter# write*May 27 02:09:00:%SYS-5-CONFIG_I:Configured from console by consolememBuilding configuration...[OK]Router# directory disk0:/certsDirectory of disk0:/certs/14 -rw- 707 May 27 2005 02:09:02 +00:00 ioscaroot#7401CA.cer15 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#826E.cer16 -rw- 759 May 27 2005 02:09:02 +00:00 msca-root#1BA8CA.cer17 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#75B8.cer18 -rw- 1149 May 27 2005 02:09:02 +00:00 storagename#6500CA.cer19 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#83EE.cer47894528 bytes total (20934656 bytes free)! The certificate files are now on disk0/certs:Related Commands
show crypto pki certificates storage
Displays the current PKI certificate storage location.
crypto pki crl request
To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto pki crl request command in global configuration mode.
crypto pki crl request name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.
Defaults
Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.
Command Modes
Global configuration
Command History
Usage Guidelines
A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.
The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto pki crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
Note
Examples
The following example immediately downloads the latest CRL to your router:
crypto pki crl requestcrypto pki enroll
To obtain the certificate(s) for your router from the certificate authority (CA), use the crypto pki enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
crypto pki enroll name
no crypto pki enroll name
Syntax Description
name
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command requests certificates from the CA for all of your router's Rivest, Shamir, and Adelmen (RSA) key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command obtains the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command obtains two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you are unable to complete this command; instead, you are prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto pki enroll command is not saved in the router configuration.
Note
Responding to Prompts
When you issue the crypto pki enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange, but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto pki enroll myca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: <password1>Re-enter password: <password1>% The subject name in the certificate will be: myrouter.example.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 03433678% Include an IP address in the subject name [yes/no]? yesInterface: ethernet0/0Request certificate from CA [yes/no]? yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificates' command will also show the fingerprint.Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRouter(config)#If necessary, the router administrator can verify the displayed fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
crypto pki export pem
To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy-enhanced mail (PEM)-formatted file, use the crypto pki export pem command in global configuration mode.
crypto pki export trustpoint pem {terminal | url url} {3des | des} passphrase [rollover]
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto pki export pem command allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto pki import pem command) or other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate and export the RSA key pair "aaa" and certificates of the router in PEM files that are associated with the trustpoint "mycs":
Router(config)# crypto key generate rsa general-keys label aaa exportableThe name for the keys will be:aaaChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.!How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]!Router(config)# crypto pki trustpoint mycsRouter(ca-trustpoint)# enrollment url http://mycsRouter(ca-trustpoint)# rsakeypair aaaRouter(ca-trustpoint)# exitRouter(config)# crypto pki authenticate mycsCertificate has the following attributes:Fingerprint:C21514AC 12815946 09F635ED FBB6CF31% Do you accept this certificate? [yes/no]:yTrustpoint CA certificate accepted.!Router(config)# crypto pki enroll mycs%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The fully-qualified domain name in the certificate will be:Router% The subject name in the certificate will be:bizarro.cisco.com% Include the router serial number in the subject name? [yes/no]:n% Include an IP address in the subject name? [no]:nRequest certificate from CA? [yes/no]:y% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD15700:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityRouter(config)# crypto pki export aaa pem terminal 3des cisco123% CA certificate:-----BEGIN CERTIFICATE-----MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES<snip>waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn-----END CERTIFICATE-----% Key name:aaaUsage:General Purpose Key-----BEGIN RSA PRIVATE KEY-----Proc-Type:4,ENCRYPTEDDEK-Info:DES-EDE3-CBC,ED6B210B626BC81AUrguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87<snip>kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=-----END RSA PRIVATE KEY-----% Certificate:-----BEGIN CERTIFICATE-----MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx<snip>6xlBaIsuMxnHmr89KkKkYlU6-----END CERTIFICATE-----Related Commands
crypto pki export pkcs12
To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto pki export pkcs12 command in global configuration mode.
crypto pki export trustpointname pkcs12 destination url passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto pki export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
Examples
The following example exports an RSA key pair with a trustpoint name "mytp" to a Flash file:
Router(config)# crypto pki export mytp pkcs12 flash:myexport mycompanyRelated Commands
crypto pki import
To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto pki import command in global configuration mode.
crypto pki import name certificate
Syntax Description
name certificate
Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
You must enter the crypto pki import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)
Examples
The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto pki trustpoint MSenroll terminalcrypto pki authenticate MS!crypto pki enroll MScrypto pki import MS certificateRelated Commands
crypto pki import pem
To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy-enhanced mail (PEM)-formatted files, use the crypto pki import pem command in global configuration mode.
crypto pki import trustpoint pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto pki import pem command allows you import certificates and RSA key pairs in PEM-formatted files. The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.
Examples
The following example shows how to import PEM files to trustpoint "ggg" via TFTP:
Router(config)# crypto pki import ggg pem url tftp://10.1.1.2/user1/msca cisco1234% Importing CA certificate...Address or name of remote host [10.1.1.2]?Destination filename [user1/msca.ca]?Reading file from tftp://10.1.1.2/user1/msca.caLoading user1/msca.ca from 10.1.1.2 (via Ethernet0):![OK - 1082 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.2]?Destination filename [user1/msca.prv]?Reading file from tftp://10.1.1.2/user1/msca.prvLoading user1/msca.prv from 10.1.1.2 (via Ethernet0):![OK - 573 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.2]?Destination filename [user1/msca.crt]?Reading file from tftp://10.1.1.2/user1/msca.crtLoading user1/msca.crt from 10.1.1.2 (via Ethernet0):![OK - 1289 bytes]% PEM files import succeeded.Router(config)#Related Commands
crypto pki import pkcs12
To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto pki import pkcs12 command in global configuration mode.
crypto pki import trustpointname pkcs12 source url passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter the crypto pki import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto pki trustpoint command to remove the trustpoint.
Note
Examples
In the following example, an RSA key pair that has been associated with the trustpoint "forward" is to be imported:
Router(config)# crypto pki import forward pkcs12 flash:myexport mycompanyRelated Commands
crypto pki export pkcs12
Exports RSA keys.
crypto pki trustpoint
Declares the CA that your router should use.
crypto key zeroize rsa
Deletes all RSA keys from your router.
crypto pki profile enrollment
To define an enrollment profile, use the crypto pki profile enrollment command in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.
crypto pki profile enrollment label
no crypto pki profile enrollment label
Syntax Description
label
Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command.
Defaults
An enrollment profile does not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.
After entering the crypto pki profile enrollment command, you can use any of the following commands to define the profile parameters:
•
•
•
•
•
•
•
Note
Examples
The following example shows how to define the enrollment profile named "E" and associated profile parameters:
crypto pki trustpoint Entrustenrollment profile Eserialcrypto pki profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
crypto pki server
To enable a Cisco IOS certificate server and enter certificate server configuration mode or to immediately generate shadow certificate authority (CA) credentials, use the crypto pki server command in global configuration mode. To disable a certificate server (which is the default functionality), use the no form of this command.
crypto pki server cs-label [rollover [cancel] [request pkcs10 terminal]]
no crypto pki server cs-label
Syntax Description
Defaults
A certificate server is not enabled; the automatic CA certificate rollover process is not initiated.
Command Modes
Global configuration
Command History
Usage Guidelines
A certificate server allows you to more easily deploy public key infrastructure (PKI) by defining default behavior, which limits user interface complexity. To define the functionality of the certificate server, you can use any of the following certificate server configuration mode commands:
•
•
•
•
Note
•
•
•
•
Note
Automated CA Certificate Rollover
CAs and their clients, have certificates with expiration dates that have to be reissued when the current certificate is about to expire. CAs also have key pairs used to sign client certificates. When the CA certificate is expiring it must generate a new certificate and possibly a new key pair. This process, called rollover, allows for continuous operation of the network while clients and the certificate server are switching from an expiring CA certificate to a new CA certificate.
Examples
The following example shows how to enable the certificate server "mycertserver":
Router(config)# ip http serverRouter(config)# crypto pki server mycertserverRouter(cs-server)# database url tftp://mytftp/user1/mycertserverThe following example shows how to disable the certificate server "mycertserver":
Router(config)# no crypto pki server mycertserver% This will stop the Certificate Server process and delete the serverconfigurationAre you sure you want to do this? [yes/no]: yes% Do you also want to remove the associated trustpoint andsigning certificate and key? [yes/no]: no% Certificate Server Process stoppedThe following example shows a shadow client certificate request from a terminal:
Router# crypto pki server mycs rollover request pkcs10 terminal% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE REQUEST-----MIIBUTCBuwIBADASMRAwDgYDVQQDEwdOZXdSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMHeev1ERSs320zbLQQk+3lhV/R2HpYQ/iM6uT1jkJf5iy0UPRwF/X16yUNmG+ObiGiW9fsASF0nxZw+fO7d2X2yh1PakfvF2wbP27C/sgJNOw9uPfsBxEc40Xe0d5FMh0YKOSAShfZYKOflnyQR2Drmm2x/33QGol5QyRvjkeWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEALM90r4d79X6vxhD0qjuYJXfBCOvv4FNyFsjraBS/y6CnNVYySF8UBUohXYIGTWf4I4+sj6i8gYfoFUW1/L82djS18TLrUr6wpCOsRqfAfps7HW1e4cizOfjAUU+C7lNcobCAhwF1o6q2nIEjpQ/2yfK9O7sb3SCJZBfeeW3tyCo=-----END CERTIFICATE REQUEST-----Related Commands
crypto pki server info requests
Displays all outstanding certificate enrollment requests.
ip http server
Enables an HTTP server on your network.
crypto pki trustpoint
To declare the trustpoint that your router should use, use the crypto pki trustpoint command in global configuration mode. To delete all identity information and certificates associated with the trustpoint, use the no form of this command.
crypto pki trustpoint name
no crypto pki trustpoint name
Syntax Description
name
Creates a name for the trustpoint. (If you previously declared the trustpoint and just want to update its characteristics, specify the name you previously created.)
Defaults
Your router does not recognize any trustpoints until you declare a trustpoint using this command.
Your router uses unique identifiers during communication with Online Certificate Status Protocol (OCSP) servers, as configured in your network.
Command Modes
Global configuration
Command History
Usage Guidelines
Declaring Truspoints
Use the crypto pki trustpoint command to declare a trustpoint, which can be a self-signed root certificate authority (CA) or a subordinate CA. Issuing the crypto pki trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint using the following subcommands:
•
•
•
•
•
•
•
•
•
Specifying Use of Unique Identifiers
When using OCSP as your revocation method, unique identifiers, or nonces, are sent by default during peer communications with the OCSP server. The use of unique identifiers during OCSP server communications enables more secure and reliable communications. However, not all OCSP servers support the use of unique dentures, see your OCSP manual for more information. To disable the use of unique identifiers during OCSP communications, use the ocsp disable-nonce subcommand.
Examples
The following example shows how to declare the CA named ka and specify enrollment and CRL parameters:
crypto pki trustpoint kaenrollment url http://kahului:80The following example shows a certificate-based ACL with the label Group defined in a crypto pki certificate map command and included in the match certificate subcommand of the crypto pki trustpoint command:
crypto pki certificate map Group 10subject-name co ou=WANsubject-name co o=Cisco!crypto pki trustpoint pki1match certificate GroupThe following example shows a self-signed certificate being designated for a trustpoint named local using the enrollment selfsigned subcommand of the crypto pki trustpoint command:
crypto pki trustpoint localenrollment selfsignedThe following example shows the unique identifier being disabled for OCSP communications for a previously created trustpoint named ts:
crypto pki trustpoint tsocsp disable-nonceRelated Commands
ctype
To preauthenticate calls on the basis of the call type, use the ctype command in AAA preauthentication configuration mode. To remove the ctype command from your configuration, use the no form of this command.
ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 16 shows the call types that you may use in the preauthentication profile.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the call type:
aaa preauthgroup radiusctype requiredRelated Commands
