Configure CA Support on a Cisco Router
Step 5 – declare a CA

Note that in 12.3(7)T, crypto pki trustpoint replaces the crypto ca trustpoint command from previous Cisco IOS software releases. The crypto ca trustpoint command can be entered, but the command will be written in the configuration as crypto pki trustpoint.

Use the crypto pki trustpoint global configuration command to declare what CA the router will use . The crypto pki trustpoint command will allow the router to re-enroll to the CA server automatically when its certificates expire. Use the no form of this command to delete all identity information and certificates associated with the CA.

NOTE:

The crypto pki trustpoint command is only significant locally. It does not have to match the identity defined on any of the VPN peers.

Performing the crypto pki trustpoint command puts the prompt into the ca-trustpoint configuration mode, where characteristics for the CA can be specified with the commands shown in Figure . More information about these commands is shown in Figure .

The example shown in Figure declares an Entrust CA and identifies characteristics of the CA. In this example, the name vpnca is created for the CA, which is located at http://vpnca. The example also declares a CA using an RA. The scripts for the CA are stored in the default location, and the CA uses SCEP instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA.

The example shown in Figure declares a Microsoft Windows 2000 CA. Note that the enrollment URL points to the MSCEP DLL.