minimal: Enough information is stored only to continue to issue new certificates without conflict; this is the default. names: In addition to the information given in the minimal level, the serial number and subject name of each certificate are stored. complete: In addition to the information given in the minimal and names levels, each issued certificate is written to the database.
3. database urlroot-url The default location for the database entries to be written is flash; however, NVRAM is recommended for this task. 4. issuer-nameDN-string Eg: issuer-name CN= CA-Name 5. grant auto 6. no shutdown
CA サーバに SRST ルータを自動登録し、認証して下さい:
1. crypto pki trustpoint SRST-Trustpoint-Name 2. enrollment url url If the CA is on your router itself url would be http://router-ip-address 3. revocation-check none 4. rsakeypair keypair-label 5. exit 6. crypto pki authenticate SRST-Trustpoint-Name
Certificate has the following attributes: Fingerprint MD5: 4C894B7D 71DBA53F 50C65FD7 75DDBFCA Fingerprint SHA1: 5C3B6B9E EFA40927 9DF6A826 58DA618A BF39F291 % Do you accept this certificate? [yes/no]: y Trustpoint CA certificate accepted.
暗号 PKI は SRST トラストポイント名前を登録します
% Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.
Password: Re-enter password:
% The fully-qualified domain name in the certificate will be: router.cisco.com % The subject name in the certificate will be: router.cisco.com % Include the router serial number in the subject name? [yes/no]: y % The serial number in the certificate will be: D0B9E79C % Include an IP address in the subject name? [no]: n Request certificate from CA? [yes/no]: y % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. % The 'show crypto pki certificate' command will also show the fingerprint.
Sep XX 00:41:55.427: CRYPTO_PKI: Certificate Request Fingerprint MD5: D154FB75 2524A24D 3D1F5C2B 46A7B9E4 Sep XX 00:41:55.427: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 0573FBB2 98CD1AD0 F37D591A C595252D A17523C1 Sep XX 00:41:57.339: %PKI-6-CERTRET: Certificate received from Certificate Authority
Router# show crypto pki server Certificate Server srstcaserver: Status: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=srstcaserver CA cert fingerprint: AC9919F5 CAFE0560 92B3478A CFF5EC00 Granting mode is: auto Last certificate issued serial number: 0x2 CA certificate expiration timer: 13:46:57 PST Dec 1 2021 CRL NextUpdate timer: 14:54:57 PST Jan 19 2019 Current storage dir: nvram Database Level: Complete - all issued certs written as <serialnum>.cer