Configuring Cisco IOS software certificate authority (CA) support
is complicated. Having a detailed plan lessens the chances of configuration
errors. Some planning steps include the following steps
:
Step 1 (Optional) Manage the non-volatile RAM (NVRAM) memory
usage
In some cases, storing certificates and CRLs locally does not present
a problem. However, in other cases, memory might become an issue, particularly
if the CA supports an registration authority (RA) and a large number of CRLs
end up being stored on the router.
Step 2 Set the time and date on
the router
The router must have an accurate time and date to enroll with a
CA server.
Step 3 Configure the hostname and domain name of the
router
The hostname is used in prompts and default configuration filenames.
The domain name is used to define a default domain name that the Cisco IOS
software uses to complete unqualified hostnames.
Step 4 Generate
an RSA key pair
RSA keys are used to identify the remote VPN peer. One
general-purpose key or two special-purpose keys can be generated.
Step
5 Declare a CA
To declare the CA that the router should use, use the
crypto pki trustpoint global configuration command. Use the
no form of this command to delete all identity information
and certificates associated with the CA.
Step 6 Authenticate the
CAThe router needs to authenticate the CA
It does this by obtaining the
self-signed certificate from the CA that contains the public key of the CA.
Step 7 Request a certificate for the router
Complete this step to
obtain the identity certificate for the router from the CA.
Step 8
Save the configuration
After configuring the router for CA support, the
configuration should be saved.
Step 9 (Optional) Monitor and
maintain CA interoperability
The following substeps are optional, depending
on the particular requirements:
- Request a certificate revocation list (CRL).
- Delete the RSA keys on the router.
- Delete both public and private certificates from the configuration.
- Delete the public keys of IPSec peers.
Step 10 Verify the CA support configuration.