Note that in 12.3(7)T, crypto pki trustpoint
replaces the crypto ca trustpoint command from previous
Cisco IOS software releases. The crypto ca trustpoint
command can be entered, but the command will be written in the configuration as
crypto pki trustpoint.
Use the crypto pki
trustpoint global configuration command to declare what CA the
router will use
. The
crypto pki trustpoint command will allow the router to
re-enroll to the CA server automatically when its certificates expire. Use the
no form of this command to delete all identity information
and certificates associated with the CA.
 |
NOTE:
The crypto pki trustpoint command is only
significant locally. It does not have to match the identity defined on any of
the VPN peers.
|
Performing the crypto pki trustpoint command puts
the prompt into the ca-trustpoint configuration mode, where characteristics for
the CA can be specified with the commands shown in Figure
. More
information about these commands is shown in Figure
.
The
example shown in Figure
declares an
Entrust CA and identifies characteristics of the CA. In this example, the name
vpnca is created for the CA, which is located at http://vpnca. The example also
declares a CA using an RA. The scripts for the CA are stored in the default
location, and the CA uses SCEP instead of LDAP. This is the minimum possible
configuration required to declare a CA that uses an RA.
The example shown
in Figure
declares a
Microsoft Windows 2000 CA. Note that the enrollment URL points to the MSCEP
DLL.