A signed certificate must be obtained from the CA for each RSA key
pair on the router. If general-purpose RSA keys were generated, the router has
only one RSA key pair and needs only one certificate. If special-usage RSA keys
were generated, the router has two RSA key pairs and needs two
certificates.
To request signed certificates from the CA, use the crypto pki
enroll name command in global configuration mode.
During the enrollment process, a challenge password is created. This
password can be used by the CA administrator to validate the identity of the
individual that is requesting the certificate. This password is not saved with
the configuration. This password is required in the event that the certificate
needs to be revoked, so it must be remembered or stored in a manner consistent
with the security policy of the organization.
Technically, enrolling and
obtaining certificates are two separate events, but they both occur when the
crypto pki enroll command is issued.
If a certificate
for the keys already exists, this command cannot be completed. Instead, the
administrator is prompted to remove the existing certificate first. Existing
certificates can be removed with the no certificate
command.
 |
CAUTION:
The crypto pki enroll command is not saved in
the router configuration. If the router reboots after the crypto pki
enroll command is issued, but before the certificates are received,
the command must be reissued.
|
|
|