[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Digital Certificates Using the Online Method

To use the online configuration method to set up digital certificates on the router:

Generate the RSA key pair. host1(config)#ipsec key generate rsa 2048 Please wait................................................. .......................... IPsec Generate Keys complete
In your IKE policy, set the authentication method to RSA signatures. host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit

Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPSec.
Enter IPSec CA Identity Configuration mode, and specify the name of the certificate authority.host1(config)#ipsec ca identity trustedca1 host1(config-ca-identity)#
Specify the name of the CA issuer. host1(config-ca-identity)#issuer-identifier BetaSecurityCorp
Specify the URL of the SCEP server from which the CA certificates and the router's public certificates is retrieved. host1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl
(Optional) Set the sensitivity of how the router handles CRLs.host1(config-ca-identity)#crl ignored
(Optional) Specify the wait period between certificate request retries. host1(config-ca-identity)#enrollment retry-period 5
(Optional) Specify the absolute time limit on enrollment.host1(config-ca-identity)#enrollment retry-limit 60
(Optional) Specify the URL of your network's HTTP proxy server. host1(config-ca-identity)#root proxy url http://192.168.5.45 host1(config-ca-identity)#exit
Retrieve the CA certificate. host1(config)#ipsec ca authenticate trustedca1
Enroll with the CA and retrieve the router's certificate from the CA. host1(config)#ipsec ca enroll trustedca1 My498pWd
(Optional) To delete RSA key pairs, use the ipsec key zeroize command.

authentication

Use to specify the authentication method that the router uses. For digital certificates, the method is set to RSA signature.
Examplehost1(config-ike-policy)#authentication rsa-sig
Use the no version to restore the default, preshared keys.
See authentication.

crl

Use to control how the router handles certificate revocation lists (CRLs) during negotiation of online IKE phase 1 signature authentication. Specify one of the following keywords:
- ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting
- optional—If the router finds a valid CRL, it uses it; this is the default setting
- required—Requires a valid CRL; either the certificates that belong to the E-series router or the peer must not appear in the CRL; this is the strictest setting
Examplehost1(config-ca-identity)#crl ignored
Use the no version to return the CRL setting to the default, optional.
See crl.

enrollment retry-limit

Use to set the time period during which the router continues to send a certificate request to the CA. You can specify a time period in the range 0–480 minutes, with 0 specifying an infinite time period.
Examplehost1(config-ca-identity)#enrollment retry-limit 200
Use the no version to restore the default of 60 minutes.
See enrollment retry-limit.

enrollment retry-period

Use to set the number of minutes that the router waits after receiving no response before resending a certificate request to the CA. You can specify a wait period in the range 0–60 minutes.
Examplehost1(config-ca-identity)#enrollment retry-period 40
Use the no version to restore the default, 1 minute.
See enrollment retry-period.

enrollment url

Use to specify the URL of the SCEP server, in the format http://server_ipaddress. You can then use the ipsec ca authentication command to retrieve CA certificates from the SCEP server, and the ipsec ca enroll command to retrieve the router's public key certificates from the server.
Examplehost1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl
Use the no version to delete the enrollment URL specification.
See enrollment url.

ipsec ca authenticate

Use to retrieve the specified CA's certificate. If authentication is successful, the fingerprint is sent, and an ikeEnrollment message is logged at severity info.
The CA must be previously declared by the ipsec ca identity command.
Examplehost1(config)#ipsec ca authenticate trustedca1 host1(config)#INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA certificate for ca:trustedca1 INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA certificate for ca:trustedca1 fingerprint:28:19:ba:76:d8:e0:bb:22:60:cd:b9:2d:dc:b8:58:01 host1(config)#
Use the no ipsec ca identity command for the specified CA, or boot the router using the factory defaults to remove the CA certificate that was generated during the online configuration.
There is no no version.
See ipsec ca authenticate.

ipsec ca enroll

Use to enroll with the specified CA and to retrieve the router's public key certificate during online digital certificate configuration. If enrollment is successful, the CA sends the certificate to the router and logs an ikeEnrollment message is logged at severity info.
Use the password option, if required by the CA, to access the CA and enable enrollment.
The CA must be previously declared by the ipsec ca identity command.
Examplehost1(config)#ipsec ca enroll trustedca1 My498pWd host1(config)#INFO 10/18/2003 03:49:33 ikeEnrollment (): Received erx certificate for ca:trustedca1 host1(config)#
Use the no ipsec ca identity command for the specified CA or boot the router using the factory defaults to remove the router's public certificate that was generated during the online configuration.
There is no no version.
See ipsec ca enroll.

ipsec ca identity

Use to specify the CA that the ERX router uses for online certificate requests and to enter IPSec Identity Configuration mode.
In IPSec Identity Configuration mode you specify information that the router uses in certificate requests and during negotiations with its peers.
Examplehost1(config)#ipsec ca identity trustedca1 host1(config-ipsec-identity)#
Use the no version to remove the identity configuration.
See ipsec ca identity.

ipsec ike-policy-rule

Use to define an ISAKMP/IKE policy.
When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
Example host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.

Note: This command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.
See ipsec ike-policy-rule.

ipsec isakmp-policy-rule

Use to define an ISAKMP/IKE policy.
When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
Example host1(config)#ipsec isakmp-policy-rule 3 host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.

Note: This command has been replaced by the ipsec ike-policy-rule command and may be removed completely in a future release.
See ipsec isakmp-policy-rule.

ipsec key generate

Use to generate RSA key pairs. Include a length of either 1024 or 2048 bits. The generated keys can be used only after the CA issues a certificate for them.
Examplehost1(config)#ipsec key generate rsa 2048 Please wait................................................. .......................... IPsec Generate Keys complete
There is no no version. To remove a key pair, use the ipsec key zeroize command.
See ipsec key generate.

ipsec key zeroize

Use to delete RSA key pairs. Include one of the following keywords:
- rsa—Removes the RSA key pair from the router
- pre-share—Removes all preshared keys from the router
- all—Removes all keys within the VR context from the router
Examplehost1(config)#ipsec key zeroize rsa
There is no no version.
See ipsec key zeroize.

issuer-identifier

Use to specify the name of the CA issuer for online digital certificate configuration. The identifier and the enrollment URL specified by the enrollment url command are used together to create the CA authentication requests.
Examplehost1(config-ca-identity)#issuer-identifier BetaSecurityCorp
Use the no version to remove the name from the configuration.
See issuer-identifier.

root proxy url

Use to specify an HTTP proxy server that can submit HTTP requests on the E-series router's behalf to retrieve the root CA certificate. Use this command if your network has an HTTP proxy server installed between the E-series router and the Internet. Use the format http://server_ipaddress to specify the URL of the proxy server.
Examplehost1(config-ca-identity)#root proxy url http://192.168.5.45
Use the no version to remove the root proxy URL from the configuration.
See root proxy url.

[Contents] [Prev] [Next] [Index] [Report an Error]