Storing PKI Credentials
First Published: May 2, 2005
Last Updated: February 28, 2011
This module explains how to store public key infrastructure (PKI) credentials, such as Rivest, Shamir, and Adelman (RSA) keys and certificates in a specific location. An example of a certificate storage location includes NVRAM, which is the default location, and other local storage locations, such as flash, as supported by your platform.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Storing PKI Credentials" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for Storing PKI Credentials
•Restrictions for Storing PKI Credentials
•Information About Storing PKI Credentials
•How to Configure Storing PKI Credentials Locally
•Configuration Examples for PKI Storage
•Additional References
•Feature Information for Storing PKI Credentials
Prerequisites for Storing PKI Credentials
Before you can specify the local certificate storage location, your system should meet the following requirements:
•A Cisco IOS XE Release 2.1-enabled image or a later image
•A platform that supports storing PKI credentials as separate files
•A configuration that contains at least one certificate
•An accessible local file system
Restrictions for Storing PKI Credentials
When storing certificates to a local storage location, the following restrictions are applicable:
•Only local file systems may be used. An error message will be displayed if a remote file system is selected, and the command will not take effect.
•A subdirectory may be specified if supported by the local file system. NVRAM does not support subdirectories.
Information About Storing PKI Credentials
Certificates are stored to NVRAM by default; however, some routers do not have the required amount of NVRAM to successfully store certificates. You have the ability to specify where certificates are stored on a local file system.
All Cisco platforms support NVRAM and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, USB flash.
During run time, you can specify what active local storage device you would like to use to store certificates.
How to Configure Storing PKI Credentials Locally
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki certificate storage location-name
4. exit
5. copy source-url destination-url
6. show crypto pki certificates storage
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
crypto pki certificate storage location-name
Router(config)# crypto pki certificate storage flash:/certs
|
Specifies the local storage location for certificates. |
Step 4 |
exit
Router(config)# exit
|
Exits global configuration mode. |
Step 5 |
copy source-url destination-url
Router# copy system:running-config nvram:startup-config
|
(Optional) Saves the running configuration to the startup configuration. Note Settings will only take effect when the running configuration is saved to the startup configuration. |
Step 6 |
show crypto pki certificates storage
Router# show crypto pki certificates storage
|
(Optional) Displays the current setting for the PKI certificate storage location. |
Examples
The following is sample output for the show crypto pki certificates storage command where the certificates are stored in the certs subdirectory of disk0:
Router# show crypto pki certificates storage
Certificates will be stored in disk0:/certs/
Configuration Examples for PKI Storage
The following configuration example shows how to store certificates to the certs subdirectory. The certs subdirectory does not exist and is automatically created.
114 -rw- 4687 <no date> startup-config
115 ---- 5545 <no date> private-config
116 -rw- 4687 <no date> underlying-config
1 ---- 34 <no date> persistent-data
3 -rw- 707 <no date> ioscaroot#7401CA.cer
9 -rw- 863 <no date> msca-root#826E.cer
10 -rw- 759 <no date> msca-root#1BA8CA.cer
11 -rw- 863 <no date> msca-root#75B8.cer
24 -rw- 1149 <no date> storagename#6500CA.cer
26 -rw- 863 <no date> msca-root#83EE.cer
129016 bytes total (92108 bytes free)
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# crypto pki certificate storage disk0:/certs
Requested directory does not exist -- created
Certificates will be stored in disk0:/certs/
*May 27 02:09:00:%SYS-5-CONFIG_I:Configured from console by consolemem
Building configuration...
Router# directory disk0:/certs
Directory of disk0:/certs/
14 -rw- 707 May 27 2005 02:09:02 +00:00 ioscaroot#7401CA.cer
15 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#826E.cer
16 -rw- 759 May 27 2005 02:09:02 +00:00 msca-root#1BA8CA.cer
17 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#75B8.cer
18 -rw- 1149 May 27 2005 02:09:02 +00:00 storagename#6500CA.cer
19 -rw- 863 May 27 2005 02:09:02 +00:00 msca-root#83EE.cer
47894528 bytes total (20934656 bytes free)
! The certificate files are now on disk0/certs:
Additional References
Related Documents
Technical Assistance
|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |
Feature Information for Storing PKI Credentials
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
.
Table 1 Feature Information for Storing PKI Credentials
|
|
|
Certificate — Storage Location Specification |
Cisco IOS XE Release 2.1 |
This feature allows you to specify the storage location of local certificates for platforms that support storing certificates as separate files. All Cisco platforms support NVRAM, which is the default location, and flash local storage. Depending on your platform, you may have other supported local storage options including bootflash, slot, disk, or USB flash. The following sections provide information about this feature: •How to Configure Storing PKI Credentials Locally •Configuration Examples for PKI Storage The following commands were introduced by this feature: crypto pki certificate storage, show crypto pki certificates storage |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at http://www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2005-2011 Cisco Systems, Inc. All rights reserved.