Configuring Digital Certificates Using the Online Method

To use the online configuration method to set up digital certificates on the router:

  1. Generate the RSA key pair.
    host1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
  2. In your IKE policy, set the authentication method to RSA signatures.
    host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit

    Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPsec.

  3. Enter IPsec CA Identity Configuration mode, and specify the name of the certificate authority.
    host1(config)#ipsec ca identity trustedca1 host1(config-ca-identity)#
  4. Specify the name of the CA issuer.
    host1(config-ca-identity)#issuer-identifier BetaSecurityCorp
  5. Specify the URL of the SCEP server from which the CA certificates and the router's public certificates is retrieved.
    host1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl
  6. (Optional) Set the sensitivity of how the router handles CRLs.
    host1(config-ca-identity)#crl ignored
  7. (Optional) Specify the wait period between certificate request retries.
    host1(config-ca-identity)#enrollment retry-period 5
  8. (Optional) Specify the absolute time limit on enrollment.
    host1(config-ca-identity)#enrollment retry-limit 60
  9. (Optional) Specify the URL of your network's HTTP proxy server.
    host1(config-ca-identity)#root proxy url http://192.168.5.45 host1(config-ca-identity)#exit
  10. Retrieve the CA certificate.
    host1(config)#ipsec ca authenticate trustedca1
  11. Enroll with the CA and retrieve the router's certificate from the CA.
    host1(config)#ipsec ca enroll trustedca1 My498pWd
  12. (Optional) To delete RSA key pairs, use the ipsec key zeroize command.

authentication

crl

enrollment retry-limit

enrollment retry-period

enrollment url

ipsec ca authenticate

ipsec ca enroll

ipsec ca identity

ipsec ike-policy-rule

ipsec isakmp-policy-rule

ipsec key generate

ipsec key zeroize

issuer-identifier

root proxy url