Configure CA Support on a Cisco Router
Steps to configure CA support

Configuring Cisco IOS software certificate authority (CA) support is complicated. Having a detailed plan lessens the chances of configuration errors. Some planning steps include the following steps :

Step 1 (Optional) Manage the non-volatile RAM (NVRAM) memory usage
In some cases, storing certificates and CRLs locally does not present a problem. However, in other cases, memory might become an issue, particularly if the CA supports an registration authority (RA) and a large number of CRLs end up being stored on the router.

Step 2 Set the time and date on the router
The router must have an accurate time and date to enroll with a CA server.

Step 3 Configure the hostname and domain name of the router
The hostname is used in prompts and default configuration filenames. The domain name is used to define a default domain name that the Cisco IOS software uses to complete unqualified hostnames.

Step 4 Generate an RSA key pair
RSA keys are used to identify the remote VPN peer. One general-purpose key or two special-purpose keys can be generated.

Step 5 Declare a CA
To declare the CA that the router should use, use the crypto pki trustpoint global configuration command. Use the no form of this command to delete all identity information and certificates associated with the CA.

Step 6 Authenticate the CAThe router needs to authenticate the CA
It does this by obtaining the self-signed certificate from the CA that contains the public key of the CA.

Step 7 Request a certificate for the router
Complete this step to obtain the identity certificate for the router from the CA.

Step 8 Save the configuration
After configuring the router for CA support, the configuration should be saved.

Step 9 (Optional) Monitor and maintain CA interoperability
The following substeps are optional, depending on the particular requirements:

  1. Request a certificate revocation list (CRL).
  2. Delete the RSA keys on the router.
  3. Delete both public and private certificates from the configuration.
  4. Delete the public keys of IPSec peers.

Step 10 Verify the CA support configuration.