Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Configuring Digital Certificates Using the Online Method
To use the online configuration method to set up digital certificates on the router:
- Generate the RSA key pair. host1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
- In your IKE policy, set the authentication method to RSA
signatures. host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit
Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPSec.
- Enter IPSec CA Identity Configuration mode, and specify
the name of the certificate authority.host1(config)#ipsec ca identity trustedca1 host1(config-ca-identity)#
- Specify the name of the CA issuer. host1(config-ca-identity)#issuer-identifier BetaSecurityCorp
- Specify the URL of the SCEP server from which the CA certificates
and the router's public certificates is retrieved. host1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl
- (Optional) Set the sensitivity of how the router handles
CRLs.host1(config-ca-identity)#crl ignored
- (Optional) Specify the wait period between certificate
request retries. host1(config-ca-identity)#enrollment retry-period 5
- (Optional) Specify the absolute time limit on enrollment.host1(config-ca-identity)#enrollment retry-limit 60
- (Optional) Specify the URL of your network's HTTP
proxy server. host1(config-ca-identity)#root proxy url http://192.168.5.45 host1(config-ca-identity)#exit
- Retrieve the CA certificate. host1(config)#ipsec ca authenticate trustedca1
- Enroll with the CA and retrieve the router's certificate
from the CA. host1(config)#ipsec ca enroll trustedca1 My498pWd
- (Optional) To delete RSA key pairs, use the ipsec key zeroize command.
authentication
- Use to specify the authentication method that the router uses. For digital certificates, the method is set to RSA signature.
- Examplehost1(config-ike-policy)#authentication rsa-sig
- Use the no version to restore the default, preshared keys.
- See authentication.
crl
- Use to control how the router handles certificate revocation
lists (CRLs) during negotiation of online IKE phase 1 signature authentication.
Specify one of the following keywords:
- ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting
- optional—If the router finds a valid CRL, it uses it; this is the default setting
- required—Requires a valid CRL; either the certificates that belong to the E Series router or the peer must not appear in the CRL; this is the strictest setting
- Examplehost1(config-ca-identity)#crl ignored
- Use the no version to return the CRL setting to the default, optional.
- See crl.
enrollment retry-limit
- Use to set the time period during which the router continues to send a certificate request to the CA. You can specify a time period in the range 0–480 minutes, with 0 specifying an infinite time period.
- Examplehost1(config-ca-identity)#enrollment retry-limit 200
- Use the no version to restore the default of 60 minutes.
- See enrollment retry-limit.
enrollment retry-period
- Use to set the number of minutes that the router waits after receiving no response before resending a certificate request to the CA. You can specify a wait period in the range 0–60 minutes.
- Examplehost1(config-ca-identity)#enrollment retry-period 40
- Use the no version to restore the default, 1 minute.
- See enrollment retry-period.
enrollment url
- Use to specify the URL of the SCEP server, in the format http://server_ipaddress. You can then use the ipsec ca authentication command to retrieve CA certificates from the SCEP server, and the ipsec ca enroll command to retrieve the router's public key certificates from the server.
- Examplehost1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl
- Use the no version to delete the enrollment URL specification.
- See enrollment url.
ipsec ca authenticate
- Use to retrieve the specified CA's certificate. If authentication is successful, the fingerprint is sent, and an ikeEnrollment message is logged at severity info.
- The CA must be previously declared by the ipsec ca identity command.
- Examplehost1(config)#ipsec ca authenticate trustedca1 host1(config)#INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA certificate for ca:trustedca1INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA certificate for ca:trustedca1 fingerprint:28:19:ba:76:d8:e0:bb:22:60:cd:b9:2d:dc:b8:58:01host1(config)#
- Use the no ipsec ca identity command for the specified CA, or boot the router using the factory defaults to remove the CA certificate that was generated during the online configuration.
- There is no no version.
- See ipsec ca authenticate.
ipsec ca enroll
- Use to enroll with the specified CA and to retrieve the router's public key certificate during online digital certificate configuration. If enrollment is successful, the CA sends the certificate to the router and logs an ikeEnrollment message is logged at severity info.
- Use the password option, if required by the CA, to access the CA and enable enrollment.
- The CA must be previously declared by the ipsec ca identity command.
- Examplehost1(config)#ipsec ca enroll trustedca1 My498pWd host1(config)#INFO 10/18/2003 03:49:33 ikeEnrollment (): Received erx certificate for ca:trustedca1host1(config)#
- Use the no ipsec ca identity command for the specified CA or boot the router using the factory defaults to remove the router's public certificate that was generated during the online configuration.
- There is no no version.
- See ipsec ca enroll.
ipsec ca identity
- Use to specify the CA that the ERX router uses for online certificate requests and to enter IPSec Identity Configuration mode.
- In IPSec Identity Configuration mode you specify information that the router uses in certificate requests and during negotiations with its peers.
- Examplehost1(config)#ipsec ca identity trustedca1 host1(config-ipsec-identity)#
- Use the no version to remove the identity configuration.
- See ipsec ca identity.
ipsec ike-policy-rule
- Use to define an ISAKMP/IKE policy.
- When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
- Example host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#
- Use the no version to remove
policies. If you do not include a priority number with the no version, all policies are removed.
Note: This command replaces ipsec isakmp-policy-rule , which may be removed completely in a future release.
- See ipsec ike-policy-rule.
ipsec isakmp-policy-rule
- Use to define an ISAKMP/IKE policy.
- When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
- Example host1(config)#ipsec isakmp-policy-rule 3 host1(config-ike-policy)#
- Use the no version to remove
policies. If you do not include a priority number with the no version, all policies are removed.
Note: This command has been replaced by ipsec ike-policy-rule and may be removed completely in a future release.
- See ipsec isakmp-policy-rule.
ipsec key generate
- Use to generate RSA key pairs. Include a length of either 1024 or 2048 bits. The generated keys can be used only after the CA issues a certificate for them.
- Examplehost1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
- There is no no version. To remove a key pair, use the ipsec key zeroize command.
- See ipsec key generate.
ipsec key zeroize
- Use to delete RSA key pairs. Include one of the following
keywords:
- rsa—Removes the RSA key pair from the router
- pre-share—Removes all preshared keys from the router
- all—Removes all keys within the VR context from the router
- Examplehost1(config)#ipsec key zeroize rsa
- There is no no version.
- See ipsec key zeroize.
issuer-identifier
- Use to specify the name of the CA issuer for online digital certificate configuration. The identifier and the enrollment URL specified by the enrollment url command are used together to create the CA authentication requests.
- Examplehost1(config-ca-identity)#issuer-identifier BetaSecurityCorp
- Use the no version to remove the name from the configuration.
- See issuer-identifier.
root proxy url
- Use to specify an HTTP proxy server that can submit HTTP requests on the E Series router's behalf to retrieve the root CA certificate. Use this command if your network has an HTTP proxy server installed between the E Series router and the Internet. Use the format http://server_ipaddress to specify the URL of the proxy server.
- Examplehost1(config-ca-identity)#root proxy url http://192.168.5.45
- Use the no version to remove the root proxy URL from the configuration.
- See root proxy url.
