Configure CA Support on a Cisco Router
Step 7 – request a certificate for the router

A signed certificate must be obtained from the CA for each RSA key pair on the router. If general-purpose RSA keys were generated, the router has only one RSA key pair and needs only one certificate. If special-usage RSA keys were generated, the router has two RSA key pairs and needs two certificates.

To request signed certificates from the CA, use the crypto pki enroll name command in global configuration mode.

During the enrollment process, a challenge password is created. This password can be used by the CA administrator to validate the identity of the individual that is requesting the certificate. This password is not saved with the configuration. This password is required in the event that the certificate needs to be revoked, so it must be remembered or stored in a manner consistent with the security policy of the organization.

Technically, enrolling and obtaining certificates are two separate events, but they both occur when the crypto pki enroll command is issued.

If a certificate for the keys already exists, this command cannot be completed. Instead, the administrator is prompted to remove the existing certificate first. Existing certificates can be removed with the no certificate command.

CAUTION:

The crypto pki enroll command is not saved in the router configuration. If the router reboots after the crypto pki enroll command is issued, but before the certificates are received, the command must be reissued.