Public Key Infrastructure Configuration Guide, Cisco IOS XE Everest 16.

Configuring Certificate Enrollment for a PKI

This module describes the different methods available for certificate enrollment and how to set
up each method for a participating PKI peer. Certificate enrollment, which is the process of
obtaining a certificate from a certification authority (CA), occurs between the end host that
requests the certificate and the CA. Each peer that participates in the public key infrastructure
(PKI) must enroll with a CA.

Security threats, as well as the cryptographic technologies to help protect against them, are
constantly changing. For more information about the latest Cisco cryptographic
recommendations, see the Next Generation Encryption (NGE) white paper.
Note

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest
caveats and feature information, see Bug Search Tool and the release notes for your platform and
software release. To find information about the features documented in this module, and to see a
list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software
image support. To access Cisco Feature Navigator, go to [Link]/go/cfn. An account on
[Link] is not required.

Prerequisites for PKI Certificate Enrollment

Before configuring peers for certificate enrollment, you should have the following items:

 A generated Rivest, Shamir, and Adelman (RSA) key pair to enroll and a PKI in which to
enroll.
 An authenticated CA.
 Familiarity with the module “Cisco IOS PKI Overview: Understanding and Planning a
PKI.”
 Enable NTP on the device so that the PKI services such as auto enrollment and certificate
rollover may function correctly.

As of Cisco IOS Release 12.3(7)T, all commands that begin with “crypto ca ” have been
changed to begin with “crypto pki .” Although the router will still accept crypto ca
Note commands, all output will be be displayed crypto pki .
Information about Certificate Enrollment for a PKI

What Are CAs

A CA is an entity that issues digital certificates that other parties can use. It is an example of a
trusted third party. CAs are characteristic of many PKI schemes.

A CA manages certificate requests and issues certificates to participating network devices. These
services provide centralized key management for the participating devices to validate identities
and to create digital certificates. Before any PKI operations can begin, the CA generates its own
public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate
requests and begin peer enrollment for the PKI.

You can use the Cisco IOS certificate server or a CA provided by a third-party CA vendor.

Framework for Multiple CAs

A PKI can be set up in a hierarchical framework to support multiple CAs. At the top of the
hierarchy is a root CA, which holds a self-signed certificate. The trust within the entire hierarchy
is derived from the RSA key pair of the root CA. The subordinate CAs within the hierarchy can
be enrolled with either the root CA or with another subordinate CA. Multiple tiers of CAs are
configured by either the root CA or with another subordinate CA. Within a hierarchical PKI, all
enrolled peers can validate the certificate of one another if the peers share a trusted root CA
certificate or a common subordinate CA.

When to Use Multiple CAs

Multiple CAs provides users with added flexibility and reliability. For example, subordinate CAs
can be placed in branch offices while the root CA is at the office headquarters. Also, different
granting policies can be implemented per CA, so you can set up one CA to automatically grant
certificate requests while another CA within the hierarchy requires each certificate request to be
manually granted.

Scenarios in which at least a two-tier CA is recommended are as follows:

 Large and very active networks in which a large number of certificates are revoked and
reissued. A multiple tier CA helps to control the size of the certificate revocation lists
(CRLs).
 When online enrollment protocols are used, the root CA can be kept offline except to
issue subordinate CA certificates. This scenario provides added security for the root CA.

Authentication of the CA

The certificate of the CA must be authenticated before the device will be issued its own
certificate and before certificate enrollment can occur. Authentication of the CA typically occurs
only when you initially configure PKI support at your router. To authenticate the CA, issue the
crypto pki authenticate command, which authenticates the CA to your router by obtaining the
self-signed certificate of the CA that contains the public key of the CA.

PKI does not support certificate with lifetime validity greater than the year 2099. So, It is
Note recommended to choose a life time validity fewer than the value 2099.

Authentication via the fingerprint Command

Cisco IOS Release 12.3(12) and later releases allow you to issue the fingerprint command t o
preenter a fingerprint that can be matched against the fingerprint of a CA certificate during
authentication.

If a fingerprint is not preentered for a trustpoint, and if the authentication request is interactive,
you must verify the fingerprint that is displayed during authentication of the CA certificate. If the
authentication request is noninteractive, the certificate will be rejected without a preentered
fingerprint.

If the authentication request is made using the command-line interface (CLI), the request
is an interactive request. If the authentication request is made using HTTP or another
Note management tool, the request is a noninteractive request.

The SCEP will proceed for authentication even if GetCACaps returns any http failure
message. Before enrollment, SCEP will initiate GetCACaps fetch. Enrollment will become
Note successful only if GetCACaps is successful.

Supported Certificate Enrollment Methods

Cisco IOS software supports the following methods to obtain a certificate from a CA:

 Simple Certificate Enrollment Protocol (SCEP)--A Cisco-developed enrollment protocol

that uses HTTP to communicate with the CA or registration authority (RA). SCEP is the
most commonly used method for sending and receiving requests and certificates.
 To take advantage of automated certificate and key rollover functionality, you must be
running a CA that supports rollover and SCEP must be used as your client enrollment
Note method. If you are running a Cisco IOS CA, you must be running Cisco IOS Release
12.4(2) T or a later release for rollover support.

 PKCS12--The router imports certificates in PKCS12 format from an external server.

 IOS File System (IFS)--The router uses any file system that is supported by Cisco IOS
software (such as TFTP, FTP, flash, and NVRAM) to send a certificate request and to
receive the issued certificate. Users may enable IFS certificate enrollment when their CA
does not support SCEP.

Prior to Cisco IOS Release 12.3(4)T, only the TFTP file system was supported within IFS.
Note

 Manual cut-and-paste--The router displays the certificate request on the console terminal,
allowing the user to enter the issued certificate on the console terminal. A user may
manually cut-and-paste certificate requests and certificates when there is no network
connection between the router and CA.
 Enrollment profiles-- Enrollment profiles are primarily used for EST or terminal based
enrollment. In case that the CA server does not support SCEP, the recommended methods
for enrollment are EST based enrollment or terminal based enrollment.
 Self-signed certificate enrollment for a trustpoint--The secure HTTP (HTTPS) server
generates a self-signed certificate that is to be used during the secure socket layer (SSL)
handshake, establishing a secure connection between the HTTPS server and the client.
The self-signed certificate is then saved in the router’s startup configuration (NVRAM).
The saved, self-signed certificate can then be used for future SSL handshakes,
eliminating the user intervention that was necessary to accept the certificate every time
the router reloaded.

To take advantage of autoenrollment and autoreenrollment, do not use either TFTP or

manual cut-and-paste enrollment as your enrollment method. Both TFTP and manual cut-
Note and-paste enrollment methods are manual enrollment processes, requiring user input.

 Cisco IOS Suite-B Support for Certificate Enrollment for a PKI

Cisco IOS Suite-B Support for Certificate Enrollment for a PKI

Suite-B requirements comprise of four user interface suites of cryptographic algorithms for use
with IKE and IPSec that are described in RFC 4869. Each suite consists of an encryption
algorithm, a digital signature algorithm, a key agreement algorithm, and a hash or message digest
algorithm.

Suite-B adds the following support for the certificate enrollment for a PKI:

 Elliptic Curve Digital Signature Algorithm (ECDSA) (256-bit and 384-bit curves) is used
for the signature operation within X.509 certificates.
 PKI support for validation of for X.509 certificates using ECDSA signatures.
 PKI support for generating certificate requests using ECDSA signatures and for
importing the issued certificates into IOS.

See the Configuring Security for VPNs with IPsec feature module for more detailed information
about Cisco IOS Suite-B support.

Registration Authorities

A Cisco IOS certificate server can be configured to run in RA mode. An RA offloads

authentication and authorization responsibilities from a CA. When the RA receives a SCEP or
manual enrollment request, the administrator can either reject or grant it on the basis of local
policy. If the request is granted, it will be forwarded to the issuing CA, and the CA can be
configured to automatically generate the certificate and return it to the RA. The client can later
retrieve the granted certificate from the RA.

Automatic Certificate Enrollment

Automatic certificate enrollment allows the CA client to automatically request a certificate from
its CA sever. This automatic router request eliminates the need for operator intervention when
the enrollment request is sent to the CA server. Automatic enrollment is performed on startup for
any trustpoint CA that is configured and that does not have a valid client certificate. When the
certificate expires, a new certificate is automatically requested.

When automatic enrollment is configured, clients automatically request client certificates.

The CA server performs its own authorization checks; if these checks include a policy to
automatically issue certificates, all clients will automatically receive certificates, which is
Note not very secure. Thus, automatic certificate enrollment should be combined with additional
authentication and authorization mechanisms (such as Secure Device Provisioning (SDP),
leveraging existing certificates, and one-time passwords).
Automated Client Certificate and Key Rollover

By default, the automatic certificate enrollment function requests a new client certificate and
keys from the CS before the client’s current certificate expires. Certificate and key rollover
allows the certificate renewal rollover request to be made before the certificate expires by
retaining the current key and certificate until the new, or rollover, certificate is available. After a
specified amount of time, the rollover certificate and keys will become the active certificate and
keys. The expired certificate and keys are immediately deleted upon rollover and removed from
the certificate chain and CRL.

The setup for automatic rollover is twofold: CA clients must be automatically enrolled and the
client’s CAs must be automatically enrolled and have the auto-rollover command enabled. For
more information on configuring your CA servers for automatic certificate rollover see the
section “Automatic CA Certificate and Key Rollover” in the chapter “Configuring and Managing
a Cisco IOS Certificate Server for PKI Deployment ” of the Public Key Infrastructure
Configuration Guide.

An optional renewal percentage parameter can be used with the auto-enroll command to allow a
new certificate to be requested when a specified percentage of the lifetime of the certificate has
passed. For example, if the renewal percentage is configured as 90 and the certificate has a
lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires. In
order for automatic rollover to occur, the renewal percentage must be less than [Link] specified
percent value must not be less than 10. If a client certificate is issued for less than the configured
validity period due to the impending expiration of the CA certificate, the rollover certificate will
be issued for the balance of that period. A minimum of 10 percent of the configured validity
period, with an absolute minimum of 3 minutes, is required to allow rollover enough time to
function.

If CA autoenrollment is not enabled, you may manually initiate rollover on an existing

client with the crypto pki enroll command if the expiration time of the current client
certificate is equal to or greater than the expiration time of the corresponding CA
Tip certificate. The client will initiate the rollover process, which occurs only if the server is
configured for automated rollover and has an available rollover server certificate.

A key pair is also sent if configured by the auto-enroll re-generate command and keyword.
Note It is recommended that a new key pair be issued for security reasons.

Certificate Enrollment Profiles

Certificate enrollment profiles allow users to specify certificate authentication, enrollment, and
reenrollment parameters when prompted. The values for these parameters are referenced by two
templates that make up the profile. One template contains parameters for the HTTP request that
is sent to the CA server to obtain the certificate of the CA (also known as certificate
authentication); the other template contains parameters for the HTTP request that is sent to the
CA for certificate enrollment.

Configuring two templates enables users to specify different URLs or methods for certificate
authentication and enrollment; for example, authentication (getting the certificate of the CA) can
be performed via TFTP (using the authentication url command) and enrollment can be performed
manually (using the enrollment terminal command).

Prior to Cisco IOS Release 12.3(11)T, certificate requests could be sent only in a PKCS10
format; however, an additional parameter was added to the profile, allowing users to specify the
PKCS7 format for certificate renewal requests.

A single enrollment profile can have up to three separate sections for each task--certificate
Note authentication, enrollment, and reenrollment.

How to Configure Certificate Enrollment for a PKI

This section contains the following enrollment option procedures. If you configure enrollment or
autoenrollment (the first task), you cannot configure manual certificate enrollment. Also, if you
configure TFTP or manual cut-and-paste certificate enrollment, you cannot configure
autoenrollment, autoreenrollment, an enrollment profile, nor can you utilize the automated CA
certificate rollover capability.

Configuring Certificate Enrollment or Autoenrollment

Perform this task to configure certificate enrollment or autoenrollment for clients participating in
your PKI.

Before you begin

Before configuring automatic certificate enrollment requests, you should ensure that all
necessary enrollment information is configured.

Prerequisites for Enabling Automated Client Certificate and Key Rollover

CA client support for certificate rollover is automatically enabled when using autoenrollment.
For automatic CA certificate rollover to run successfully, the following prerequisites are
applicable:
  Your network devices must support shadow PKI.
 Your clients must be running Cisco IOS Release 12.4(2)T or a later release.
 The client’s CS must support automatic rollover. See the section “Automatic CA
Certificate and Key Rollover” in the chapter “Configuring and Managing a Cisco IOS
Certificate Server for PKI Deployment ” of the Public Key Infrastructure Configuration
Guide for more information on CA server automatic rollover configuration.

Prerequisites for Specifying Autoenrollment Initial Key Generation Location

To specify the location of the autoenrollment initial key generation, you must be running Cisco
IOS Release 12.4(11)T or a later release.

RSA Key Pair Restriction for Autoenrollment

Trustpoints configured to generate a new key pair using the regenerate command or the
regenerate keyword of the auto-enroll command must not share key pairs with other trustpoints.
To give each trustpoint its own key pair, use the rsakeypair command in ca-trustpoint
configuration mode. Sharing key pairs among regenerating trustpoints is not supported and will
cause loss of service on some of the trustpoints because of key and certificate mismatches.

Restrictions for Automated Client Certificate and Key Rollover

In order for clients to run automatic CA certificate rollover successfully, the following
restrictions are applicable:

 SCEP must be used to support rollover. Any device that enrolls with the PKI using an
alternative to SCEP as the certificate management protocol or mechanism (such as
enrollment profiles, manual enrollment, or TFTP enrollment) will not be able to take
advantage of the rollover functionality provided by SCEP.
 If the configuration cannot be saved to the startup configuration after a shadow certificate
is generated, rollover will not occur.

Security threats, as well as the cryptographic technologies to help protect against them, are
constantly changing. For more information about the latest Cisco cryptographic
Note recommendations, see the Next Generation Encryption (NGE) white paper.

SUMMARY STEPS

1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment [mode | retry period minutes | retry count number] url url [pem]
 5. eckeypair label
6. subject-name [x.500-name ]
7. vrf vrf-name
8. ip-address {ip-address | interface | none }
9. serial-number [none]
10. auto-enroll [percent ] [regenerate ]
11. usage method1 [method2 [method3 ]]
12. password string
13. rsakeypair key-label key-size encryption-key-size ]]
14. fingerprint ca-fingerprint
15. on devicename :
16. exit
17. crypto pki authenticate name
18. exit
19. copy system:running-config nvram:startup-config
20. show crypto pki certificates

DETAILED STEPS

  Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Example:  Enter your password if prompted.

Router> enable
Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 crypto pki trustpoint name Declares the trustpoint and a given name
and enters ca-trustpoint configuration
Example: mode.

Router(config)# crypto pki trustpoint

mytp
Step 4 enrollment [mode | retry period Specifies the URL of the CA on which your
minutes | retry count number] url url router should send certificate requests.
[pem]
 mode --Specifies RA mode if your
Example: CA system provides an RA.
 retry period minutes --Specifies the
  Command or Action Purpose
wait period between certificate
Router(ca-trustpoint)# enrollment url request retries. The default is 1
[Link] minute between retries.
 retry count number -- Specifies the
number of times a router will resend
a certificate request when it does
not receive a response from the
previous request. (Specify from 1 to
100 retries.)
 url url -- URL of the file system
where your router should send
certificate requests. An IPv6
address can be added in the URL
enclosed in brackets. For example:
http:// [2001:DB8:1:1::1]:80.
 pem -- Adds privacy-enhanced mail
(PEM) boundaries to the certificate
request.

An enrollment method other than

TFTP or manual cut-and-paste must
Note 
be configured to support
autoenrollment.
Step 5 eckeypair label (Optional) Configures the trustpoint to use
an Elliptic Curve (EC) key on which
Example: certificate requests are generated using
ECDSA signatures. The label argument
specifies the EC key label that is
Router(ca-trustpoint)# eckeypair configured using the crypto key generate
Router_1_Key rsa or crypto key generate ec keysize
command in global configuration mode.
See the Configuring Internet Key Exchange
for IPsec VPNs feature module for more
information.

If an ECDSA signed certificate is

imported without a trustpoint
Note 
configuration, then the label defaults
to the FQDN value.
Step 6 subject-name [x.500-name ] (Optional) Specifies the requested subject
name that will be used in the certificate
Example: request.
  Command or Action Purpose
Router(ca-trustpoint)# subject-name
cat  x.500-name --If it is not specified,
the fully qualified domain name
(FQDN), which is the default
subject name, will be used.

Step 7 vrf vrf-name (Optional) Specifies the the VRF instance

in the public key infrastructure (PKI)
Example: trustpoint to be used for enrollment,
certificate revocation list (CRL) retrieval,
and online certificate status protocol
Router(ca-trustpoint)# vrf myvrf (OCSP) status.
Step 8 ip-address {ip-address | interface | (Optional) Includes the IP address of the
none } specified interface in the certificate request.

Example:  Issue the ip-address argument to

specify either an IPv4 or IPv6
address.
Router(ca-trustpoint)# ip address  Issue the interface argument to
[Link] specify an interface on the router.
 Issue the none keyword if no IP
address should be included.

If this command is enabled, you will

Note  not be prompted for an IP address
during enrollment for this trustpoint.
Step 9 serial-number [none] (Optional) Specifies the router serial
number in the certificate request, unless the
Example: none keyword is issued.

 Issue the none keyword to specify

Router(ca-trustpoint)# serial-number that a serial number will not be
included in the certificate request.

Step 10 auto-enroll [percent ] [regenerate ] (Optional) Enables autoenrollment,

allowing the client to automatically request
Example: a rollover certificate from the CA.

 If autoenrollment is not enabled, the

Router(ca-trustpoint)# auto-enroll client must be manually re-enrolled
regenerate in your PKI upon certificate
expiration.
 By default, only t he Domain Name
System (DNS) name of the router is
  Command or Action Purpose
included in the certificate.
 Use the percent argument to specify
that a new certificate will be
requested after the percentage of the
lifetime of the current certificate is
reached.
 Use the regenerate keyword to
generate a new key for the
certificate even if a named key
already exists.

If the key pair being rolled over is

exportable, the new key pair will
also be exportable. The following
comment will appear in the
Note 
trustpoint configuration to indicate
whether the key pair is exportable:
“! RSA key pair associated with
trustpoint is exportable.”
It is recommended that a new key
Note  pair be generated for security
reasons.
Step 11 usage method1 [method2 [method3 ]] (Optional) Specifies the intended use for
the certificate.
Example:
 Available options are ike , ssl-client
, and ssl-server ; the default is ike .
Router(ca-trustpoint)# usage ssl-client
Step 12 password string (Optional) Specifies the revocation
password for the certificate.
Example:
 If this command is enabled, you
will not be prompted for a password
Router(ca-trustpoint)# password during enrollment for this
string1 trustpoint.

When SCEP is used, this password

can be used to authorize the
Note  certificate request--often via a one-
time password or similar
mechanism.
Step 13 rsakeypair key-label key-size (Optional) Specifies which key pair to
encryption-key-size ]] associate with the certificate.
  Command or Action Purpose

Example:  A key pair with the key-label

argument will be generated during
enrollment if it does not already
Router(ca-trustpoint)# rsakeypair key- exist or if the auto-enroll regenerate
label 2048 2048 command was issued.
 Specify the key-size argument for
generating the key, and specify the
encryption-key-size argument to
request separate encryption,
signature keys, and certificates. The
key-size and encryption-key-size
must be the same size. Length of
less than 2048 is not recommended.

If this command is not enabled, the

Note 
FQDN key pair is used.
Step 14 fingerprint ca-fingerprint (Optional) Specifies a fingerprint that can
be matched against the fingerprint of a CA
Example: certificate during authentication.

If the fingerprint is not provided and

Router(ca-trustpoint)# fingerprint authentication of the CA certificate
12EF53FA 355CD23E 12EF53FA Note 
is interactive, the fingerprint will be
355CD23E displayed for verification.
Step 15 on devicename : (Optional) Specifies that RSA keys will be
created on the specified device upon
Example: autoenrollment initial key generation.

 Devices that may be specified

Router(ca-trustpoint)# on usbtoken0: include NVRAM, local disks, and
Universal Serial Bus (USB) tokens.
USB tokens may be used as
cryptographic devices in addition to
a storage device. Using a USB
token as a cryptographic device
allows RSA operations such as key
generation, signing, and
authentication to be performed on
the token.

Step 16 exit Exits ca-trustpoint configuration mode and

returns to global configuration mode.
  Command or Action Purpose

Example:

Router(ca-trustpoint)# exit
Step 17 crypto pki authenticate name Retrieves the CA certificate and
authenticates it. Check the certificate
Example: fingerprint if prompted.

This command is optional if the CA

Router(config)# crypto pki Note  certificate is already loaded into the
authenticate mytp configuration.
Step 18 exit Exits global configuration mode.

Example:

Router(config)# exit
Step 19 copy system:running-config (Optional) Copies the running
nvram:startup-config configuration to the NVRAM startup
configuration.
Example:
Autoenrollment will not update
NVRAM if the running
Router# Note 
configuration has been modified but
copy system:running-config not written to NVRAM.
nvram:startup-config

Step 20 show crypto pki certificates (Optional) Displays information about your
certificates, including any rollover
Example: certificates.

Router# show crypto pki certificates

Configuring Manual Certificate Enrollment

Manual certificate enrollment can be set up via TFTP or the manual cut-and-paste method. Both
options can be used if your CA does not support SCEP or if a network connection between the
router and CA is not possible. Perform one of the following tasks to set up manual certificate
enrollment:

PEM-Formatted Files for Certificate Enrollment Request

Using PEM-formatted files for certificate requests can be helpful for customers who are using
terminal or profile-based enrollment to request certificates from their CA server. Customers
using PEM-formatted files can directly use existing certificates on their routers.

Restrictions for Manual Certificate Enrollment

SCEP Restriction

We do not recommend switching URLs if SCEP is used; that is, if the enrollment URL is
“[Link] do not change the enrollment URL after getting the CA certificate and before
enrolling the certificate. A user can switch between TFTP and manual cut-and-paste.

Key Regeneration Restriction

Do not regenerate the keys manually using the crypto key generate command; key regeneration
will occur when the crypto pki enroll command is issued if the regenerate keyword is specified.

Configuring Cut-and-Paste Certificate Enrollment

Perform this task to configure cut-and-paste certificate enrollment. This task helps you to
configure manual certificate enrollment via the cut-and-paste method for peers participating in
your PKI.

SUMMARY STEPS

1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment terminal pem
5. fingerprint ca-fingerprint
6. exit
7. crypto pki authenticate name
8. crypto pki enroll name
9. crypto pki import name certificate
10. exit
11. show crypto pki certificates

DETAILED STEPS

  Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Example:  Enter your password if prompted.

Router> enable
  Command or Action Purpose
Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 crypto pki trustpoint name Declares the trustpoint and a given name
and enters ca-trustpoint configuration
Example: mode.

Router(config)# crypto pki

trustpoint mytp
Step 4 enrollment terminal pem Specifies the manual cut-and-paste
certificate enrollment method.
Example:
 The certificate request will be
displayed on the console terminal
Router(ca-trustpoint)# enrollment so that it may be manually copied
terminal (or cut).
 pem --Configures the trustpoint to
generate PEM-formatted certificate
requests to the console terminal.

Step 5 fingerprint ca-fingerprint (Optional) Specifies a fingerprint that can

be matched against the fingerprint of a CA
Example: certificate during authentication.

If the fingerprint is not provided, it

Router(ca-trustpoint)# fingerprint Note  will be displayed for verification.
12EF53FA 355CD23E 12EF53FA
355CD23E
Step 6 exit Exits ca-trustpoint configuration mode and
returns to global configuration mode.
Example:

Router(ca-trustpoint)# exit
Step 7 crypto pki authenticate name Retrieves the CA certificate and
authenticates it.
Example:

Router(config)# crypto pki

  Command or Action Purpose
authenticate mytp
Step 8 crypto pki enroll name Generates certificate request and displays
the request for copying and pasting into the
Example: certificate server.

 You are prompted for enrollment

Router(config)# crypto pki enroll information, such as whether to
mytp include the router FQDN and IP
address in the certificate request.
You are also given the choice about
displaying the certificate request to
the console terminal.
 The base-64 encoded certificate
with or without PEM headers as
requested is displayed.

Step 9 crypto pki import name certificate Imports a certificate manually at the
console terminal (pasting).
Example:
 The base-64 encoded certificate is
accepted from the console terminal
Router(config)# crypto pki import and inserted into the internal
mytp certificate certificate database.

You must enter this command twice

if usage keys, a signature key, and
an encryption key are used. The
first time the command is entered,
one of the certificates is pasted into
Note 
the router. The second time the
command is entered, the other
certificate is pasted into the router.
It does not matter which certificate
is pasted first.
Some CAs ignore the usage key
information in the certificate request
and issue general purpose usage
certificates. If this applies to the
Note 
certificate authority you are using,
import the general purpose
certificate. The router will not use
one of the two key pairs generated.
Step 10 exit Exits global configuration mode.
  Command or Action Purpose

Example:

Router(config)# exit
Step 11 show crypto pki certificates (Optional) Displays information about your
certificates, the certificates of the CA, and
Example: RA certificates.

Router# show crypto pki

certificates

Configuring TFTP Certificate Enrollment

Perform this task to configure TFTP certificate enrollment. This task helps you to configure
manual certificate enrollment using a TFTP server.

Before you begin

 You must know the correct URL to use if you are configuring certificate enrollment via
TFTP.
 The router must be able to write a file to the TFTP server for the crypto pki enroll
command.
 If you are using a file specification with the enrollment command, the file must contain
the CA certificate either in binary format or be base-64 encoded.
 You must know if your CA ignores key usage information in a certificate request and
issues only a general purpose usage certificate.

Some TFTP servers require that the file must exist on the server before it can be
written. Most TFTP servers require files that can be written over. This requirement
may pose a risk because any router or other device may write or overwrite the
Caution certificate request; thus, the replacement certificate request will not be used by the CA
administrator, who must first check the enrollment request fingerprint before granting
the certificate request.

SUMMARY STEPS

1. enable
 2. configure terminal
3. crypto pki trustpoint name
4. enrollment [mode ] [retry period minutes] [retry count number] url url [pem ]
5. fingerprint ca-fingerprint
6. exit
7. crypto pki authenticate name
8. crypto pki enroll name
9. crypto pki import name certificate
10. exit
11. show crypto pki certificates

DETAILED STEPS

  Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Example:  Enter your password if prompted.

Router> enable
Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 crypto pki trustpoint name Declares the trustpoint and a given name
and enters ca-trustpoint configuration
Example: mode.

Router(config)# crypto pki trustpoint mytp

Step 4 enrollment [mode ] [retry period minutes] Specifies TFTP as the enrollment
[retry count number] url url [pem ] method to send the enrollment request
and to retrieve the CA certificate and
Example: router certificate and any optional
parameters.

Router(ca-trustpoint)# enrollment url For TFTP enrollment, the URL

t[Link] Note  must be configured as a TFTP
URL, t[Link]
 An optional file specification
filename may be included in the
TFTP URL. If the file
specification is not included, the
  Command or Action Purpose
FQDN will be used. If the file
specification is included, the
router will append the extension
“.ca” to the specified filename.

Step 5 fingerprint ca-fingerprint (Optional) Specifies the fingerprint of

the CA certificate received via an out-of-
Example: band method from the CA administrator.

If the fingerprint is not provided,

Router(ca-trustpoint)# fingerprint Note  it will be displayed for
12EF53FA 355CD23E 12EF53FA verification.
355CD23E
Step 6 exit Exits ca-trustpoint configuration mode
and returns to global configuration
Example: mode.

Router(ca-trustpoint)# exit
Step 7 crypto pki authenticate name Retrieves the CA certificate and
authenticates it from the specified TFTP
Example: server.

Router(config)# crypto pki authenticate

mytp
Step 8 crypto pki enroll name Generates certificate request and writes
the request out to the TFTP server.
Example:
 You are prompted for enrollment
information, such as whether to
Router(config)# crypto pki enroll mytp include the router FQDN and IP
address in the certificate request.
You are queried about whether to
display the certificate request to
the console terminal.
 The filename to be written is
appended with the extension
“.req”. For usage keys, a
signature key and an encryption
key, two requests are generated
and sent. The usage key request
filenames are appended with the
extensions “-[Link]” and “-
  Command or Action Purpose
[Link]”, respectively.

Step 9 crypto pki import name certificate Imports a certificate via TFTP at the
console terminal, which retrieves the
Example: granted certificate.

 The router will attempt to retrieve

Router(config)# crypto pki import mytp the granted certificate via TFTP
certificate using the same filename used to
send the request, except the
extension is changed from “.req”
to “.crt”. For usage key
certificates, the extensions “-
[Link]” and “-[Link]” are used.
 The router will parse the received
files, verify the certificates, and
insert the certificates into the
internal certificate database on
the router.

Some CAs ignore the usage key

information in the certificate
request and issue general purpose
usage certificates. If your CA
ignores the usage key information
Note 
in the certificate request, only
import the general purpose
certificate. The router will not use
one of the two key pairs
generated.
Step 10 exit Exits global configuration mode.

Example:

Router(config)# exit
Step 11 show crypto pki certificates (Optional) Displays information about
your certificates, the certificates of the
Example: CA, and RA certificates.

Router# show crypto pki certificates

Certifying a URL Link for Secure Communication with a Trend Micro Server

Perform this task to certify a link used in URL filtering that allows secure communication with a
Trend Micro Server.

Security threats, as well as the cryptographic technologies to help protect against them, are
constantly changing. For more information about the latest Cisco cryptographic
Note recommendations, see the Next Generation Encryption (NGE) white paper.

SUMMARY STEPS

1. enable
2. clock set hh : mm : ss date month year
3. configure terminal
4. clock timezone zone hours-offset [minutes-offset ]
5. ip http server
6. hostname name
7. ip domain-name name
8. crypto key generate rsa general-keys modulus modulus-size
9. crypto pki trustpoint name
10. enrollment terminal
11. crypto ca authenticate name
12. Copy the following block of text containing the base 64 encoded CA certificate and paste
it at the prompt.
13. Enter yes to accept this certificate.
14. serial-number
15. revocation-check none
16. end
17. trm register

DETAILED STEPS

Command
  Purpose
or Action
Step  enable Enables privileged EXEC mode.
1
Example:  Enter your password if prompted.

Router>
enable
Step  clock set hh Sets the clock on the router.
 Command
  Purpose
or Action
2 : mm : ss
date month
year

Example:

Router#
clock set
23:22:00 22
Dec 2009
Step  configure Enters global configuration mode.
3 terminal

Example:

Router#
configure
terminal
Step  clock Sets the time zone.
4 timezone
zone hours-  The zone argument is the name of the time zone (typically a standard
offset acronym). The hours-offset argument is the number of hours the time
[minutes- zone is different from Universal Time Coordinated (UTC). The
offset ] minutes-offset argument is the number of minutes the time zone is
different from UTC.
Example:
The minutes-offset argument of the clock timezone command is
available for those cases where a local time zone is a percentage of an
Router(conf hour different from UTC or Greenwich Mean Time (GMT). For
ig)# clock Note  example, the time zone for some sections of Atlantic Canada (AST) is
timezone UTC-3.5. In this case, the necessary command would be clock
PST -08 timezone AST -3 30 .
Step  ip http Enables the HTTP server.
5 server

Example:

Router(conf
ig)# ip http
server
 Command
  Purpose
or Action
Step  hostname Configures the hostname of the router.
6 name

Example:

Router(conf
ig)#
hostname
hostname1
Step  ip domain- Defines the domain name for the router.
7 name name

Example:

Router(conf
ig)# ip
domain-
name
[Link]
m
Step  crypto key Generates the crypto keys.
8 generate rsa
general-  The general-keys keyword specifies that a general purpose key pair is
keys generated, which is the default.
modulus  The modulus keyword and modulus-size argument specify the IP size
modulus- of the key modulus. By default, the modulus of a CA key is 1024 bits.
size When generating RSA keys, you will be prompted to enter a modulus
length. A longer modulus could offer stronger security but takes
Example: longer to generate and to use. A length of less than 2048 is not
recommended.

Router(conf The name for the general keys that are generated are based on the
ig)# crypto Note  domain name that is configured in Step 7. For example, the keys will
key be called “[Link].”
generate rsa
general-
keys
modulus
general
Step  crypto pki Declares the CA that your router should use and enters ca-trustpoint
9 trustpoint
name
 Command
  Purpose
or Action
configuration mode.
Example:
Effective with Cisco IOS Release 12.3(8)T, the crypto pki trustpoint
Note 
command replaced the crypto ca trustpoint command.
Router(conf
ig)# crypto
pki
trustpoint
mytp
Step  enrollment Specifies the manual cut-and-paste certificate enrollment method.
10 terminal
 The certificate request will be displayed on the console terminal so
Example: that you may manually copy (or cut).

Router(ca-
trustpoint)#
enrollment
terminal
Step  crypto ca Takes the name of the CA as the argument and authenticates it.
11 authenticate
name  The following command output displays:

Example:
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself.
Router(ca-
trustpoint)#
crypto ca
authenticate
mytp
Step  Copy the
12 following MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQs
block of wCQYDVQQGEwJV
text
containing UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZhe
the base 64 CBTZWN1cmUgQ2Vy
encoded
CA dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXD
certificate TE4MDgyMjE2NDE1
and paste it
at the MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXg
prompt. xLTArBgNVBAsTJEVx
 Command
  Purpose
or Action
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkq
hkiG9w0B

AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRv
E4RiIcPRfM6f

BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1
Dulsr4R+A

cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iO
e/FP3gx7kC

AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQsw
CQYDVQQGEwJVUzEQ

MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZ
WN1cmUgQ2VydGlm

aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1U
dEAQTMBGBDzIwMTgw

ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoA
USOZo+SvSspXXR9gj

IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/U
MAwGA1UdEwQF

MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GC
SqGSIb3DQEBBQUA

A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRm
m/kEd5jhW6Y

7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz
2uFHdh

1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
The following command output displays:

Certificate has the following attributes:

Fingerprint MD5: 67CB9DC0 13248A82 9BB2171E D11BECD4

Fingerprint SHA1: D23209AD 23D31423 2174E40D 7F9D6213

 Command
  Purpose
or Action
9786633A
Step  Enter yes to
13 accept this % Do you accept this certificate? [yes/no]: yes
certificate.

The following command output displays:

Trustpoint CA certificate accepted.

% Certificate successfully imported

Step  serial- Specifies the router serial number in the certificate request.
14 number

Example:

hostname1(
ca-
trustpoint)#
serial-
number
Step  revocation- Specifies that certificate checking is ignored.
15 check none

Example:

hostname1(
ca-
trustpoint)#
revocation-
check none

Example:

Step  end Exits ca-trustpoint configuration mode and returns to privileged EXEC
16 mode.
Example:

hostname1(
 Command
  Purpose
or Action
ca-
trustpoint)#
end
Step  trm register Manually starts the Trend Micro Server registration process.
17
Example:

hostname1#
trm register

Configuring a Persistent Self-Signed Certificate for Enrollment via SSL

This section contains the following tasks:

These tasks are optional because if you enable the HTTPS server, it generates a self-signed
Note certificate automatically using default values.

Persistent Self-Signed Certificates Overview

The SSL protocol can be used to establish a secure connection between an HTTPS server and a
client (web browser). During the SSL handshake, the client expects the SSL server’s certificate
to be verifiable using a certificate the client already possesses.

If Cisco IOS software does not have a certificate that the HTTPS server can use, the server
generates a self-signed certificate by calling a PKI application programming interface (API).
When the client receives this self-signed certificate and is unable to verify it, intervention is
needed. The client asks you if the certificate should be accepted and saved for future use. If you
accept the certificate, the SSL handshake continues.

Future SSL handshakes between the same client and the server use the same certificate.
However, if the router is reloaded, the self-signed certificate is lost. The HTTPS server must then
create a new self-signed certificate. This new self-signed certificate does not match the previous
certificate, so you are once again asked to accept it.

Requesting acceptance of the router’s certificate each time that the router reloads may present an
opportunity for an attacker to substitute an unauthorized certificate when you are being asked to
accept the certificate. Persistent self-signed certificates overcome all these limitations by saving
a certificate in the router’s startup configuration.

Restrictions

You can configure only one trustpoint for a persistent self-signed certificate.

Do not change the IP domain name or the hostname of the router after creating the self-
signed certificate. Changing either name triggers the regeneration of the self-signed
certificate and overrides the configured trustpoint. WebVPN ties the SSL trustpoint name
Note to the WebVPN gateway configuration. If a new self-signed certificate is triggered, then
the new trustpoint name does not match the WebVPN configuration, causing the WebVPN
connections to fail.

Configuring a Trustpoint and Specifying Self-Signed Certificate Parameters

Security threats, as well as the cryptographic technologies to help protect against them, are
constantly changing. For more information about the latest Cisco cryptographic
Note recommendations, see the Next Generation Encryption (NGE) white paper.

Perform the following task to configure a trustpoint and specify self-signed certificate
parameters.

SUMMARY STEPS

1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment selfsigned
5. subject-name [x.500-name ]
6. rsakeypair key-label [key-size [encryption-key-size]]
7. crypto pki enroll name
8. end
9. show crypto pki certificates [trustpoint-name [verbose ]]
10. show crypto pki trustpoints [status | label [status ]]

DETAILED STEPS
  Command or Action Purpose
Step 1 enable Enables privileged EXEC mode.

Example:  Enter your password if prompted.

Router> enable
Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 crypto pki trustpoint name Declares the CA that your router should
use and enters ca-trustpoint configuration
Example: mode.

Effective with Cisco IOS Release

Router(config)# crypto pki 12.3(8)T, the crypto pki trustpoint
trustpoint local Note 
command replaced the crypto ca
trustpoint command.
Step 4 enrollment selfsigned Specifies self-signed enrollment.

Example:

Router(ca-trustpoint)# enrollment
selfsigned
Step 5 subject-name [x.500-name ] (Optional) Specifies the requested subject
name to be used in the certificate request.
Example:
 If no value for the x-500-name
argument is specified, the FQDN,
Router(ca-trustpoint)# subject- which is the default subject name,
name is used.

Step 6 rsakeypair key-label [key-size (Optional) Specifies which key pair to

[encryption-key-size]] associate with the certificate.

Example:  The value for the key-label

argument will be generated during
enrollment if it does not already
Router(ca-trustpoint)# rsakeypair exist or if the auto-enroll
examplekey 2048 regenerate command was issued.
 Specify a value for the key-size
  Command or Action Purpose
argument for generating the key,
and specify a value for the
encryption-key-size argument to
request separate encryption,
signature keys, and certificates.
The key-size and encryption-key-
size must be the same size. Length
of less than 2048 is no
recommended.

If this command is not enabled,

Note 
the FQDN key pair is used.
Step 7 crypto pki enroll name Tells the router to generate the persistent
self-signed certificate.
Example:

Router(ca-trustpoint)# crypto pki

enroll local
Step 8 end (Optional) Exits ca-trustpoint
configuration mode.
Example:
 Enter this command a second time
to exit global configuration mode.
Router(ca-trustpoint)# end
Step 9 show crypto pki certificates Displays information about your
[trustpoint-name [verbose ]] certificate, the certification authority
certificate, and any registration authority
Example: certificates.

Router# show crypto pki

certificates local verbose
Step 10 show crypto pki trustpoints [status | Displays the trustpoints that are
label [status ]] configured in the router.

Example:

Router# show crypto pki trustpoints

status

Enabling the HTTPS Server

Perform the following task to enable the HTTPS server.

Before you begin

To specify parameters, you must create a trustpoint and configure it. To use default values, delete
any existing self-signed trustpoints. Deleting all self-signed trustpoints causes the HTTPS server
to generate a persistent self-signed certificate using default values as soon as the server is
enabled.

SUMMARY STEPS

1. enable
2. configure terminal
3. ip http secure-server
4. end
5. copy system:running-config nvram: startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Example:  Enter your password if prompted.

Router> enable
Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 ip http secure-server Enables the HTTPS web server.

Example: A key pair (modulus 1024) and a self-

Note  signed certificate are automatically
generated.
Router(config)# ip http secure-
server
Step 4 end Exits global configuration mode.

Example:

Router(config)# end
  Command or Action Purpose
Step 5 copy system:running-config Saves the self-signed certificate and the
nvram: startup-config HTTPS server in enabled mode.

Example:

Router# copy system:running-

config nvram: startup-config

Configuring a Certificate Enrollment Profile for Enrollment or Reenrollment

Perform this task to configure a certificate enrollment profile for enrollment or reenrollment.
This task helps you to configure an enrollment profile for certificate enrollment or reenrollment
of a router with a Cisco IOS CA that is already enrolled with a third-party vendor CA.

Enable a router that is enrolled with a third-party vendor CA to use its existing certificate to
enroll with the Cisco IOS certificate server so the enrollment request is automatically granted. To
enable this functionality, you must issue the enrollment credential command. Also, you cannot
configure manual certificate enrollment.

Before you begin

Perform the following tasks at the client router before configuring a certificate enrollment profile
for the client router that is already enrolled with a third-party vendor CA so that the router can
reenroll with a Cisco IOS certificate server:

 Defined a trustpoint that points to the third-party vendor CA.

 Authenticated and enrolled the client router with the third-party vendor CA.

 To use certificate profiles, your network must have an HTTP interface to the CA.
 If an enrollment profile is specified, an enrollment URL may not be specified in the
trustpoint configuration. Although both commands are supported, only one
command can be used at a time in a trustpoint.
Note  Because there is no standard for the HTTP commands used by various CAs, the
user is required to enter the command that is appropriate to the CA that is being
used.

>

SUMMARY STEPS
 1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment profile label
5. exit
6. crypto pki profile enrollment label
o authentication url url
o authentication terminal
7. Do one of the following:
8. authentication command
o enrollment url url
o
o enrollment terminal
9. Do one of the following:
10. enrollment credential label
11. enrollment command
12. parameter number {value value | prompt string }
13. exit
14. show crypto pki certificates

DETAILED STEPS

  Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.

Example:  Enter your password if prompted.

Router> enable
Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 crypto pki trustpoint name Declares the trustpoint and a given name and enters
ca-trustpoint configuration mode.
Example:

Router(config)# crypto pki

trustpoint Entrust
Step 4 enrollment profile label Specifies that an enrollment profile is to be used for
certificate authentication and enrollment.
  Command or Action Purpose

Example:

Router(ca-trustpoint)#
enrollment profile E
Step 5 exit Exits ca-trustpoint configuration mode.

Example:

Router(ca-trustpoint)# exit
Step 6 crypto pki profile enrollment Defines an enrollment profile and enters ca-profile-
label enroll configuration mode.

Example:  label --Name for the enrollment profile; the

enrollment profile name must match the
name specified in the enrollment profile
Router(config)# crypto pki command.
profile enrollment E
Step 7 Do one of the following: Specifies the URL of the CA server to which to
send certificate authentication requests.
 authentication url url
 authentication terminal  url --URL of the CA server to which your
router should send authentication requests.
Example: If you are using HTTP, the URL should
read “[Link] where CA_name is
the host DNS name or IP address of the CA.
Router(ca-profile-enroll)# If you are using TFTP, the URL should read
authentication url “t[Link] (If the
[Link] URL does not include a file specification,
the FQDN of the router will be used.)
Example:
Specifies manual cut-and-paste certificate
authentication.
Router(ca-profile-enroll)#
authentication terminal
Step 8 authentication command (Optional) Specifies the HTTP command that is
sent to the CA for authentication.
Example:

Router(ca-profile-enroll)#
authentication command
  Command or Action Purpose
Step 9 Do one of the following: Specifies the URL of the CA server to which to
send certificate enrollment requests via HTTP or
 enrollment url url TFTP.

 enrollment terminal Specifies manual cut-and-paste certificate
enrollment.
Example:

Router(ca-profile-enroll)#
enrollment url
[Link]
cgi/[Link]

Example:

Example:

Router(ca-profile-enroll)#
enrollment terminal
Step 10 enrollment credential label (Optional) Specifies the third-party vendor CA
trustpoint that is to be enrolled with the Cisco IOS
Example: CA.

This command cannot be issued if manual

Router(ca-profile-enroll)# Note 
certificate enrollment is being used.
enrollment credential Entrust
Step 11 enrollment command (Optional) Specifies the HTTP command that is
sent to the CA for enrollment.
Example:

Router(ca-profile-enroll)#
enrollment command
Step 12 parameter number {value value | (Optional) Specifies parameters for an enrollment
prompt string } profile.

Example:  This command can be used multiple times

to specify multiple values.
  Command or Action Purpose
Router(ca-profile-enroll)#
parameter 1 value aaaa-bbbb-
cccc
Step 13 exit (Optional) Exits ca-profile-enroll configuration
mode.
Example:
 Enter this command a second time to exit
global configuration mode.
Router(ca-profile-enroll)# exit
Step 14 show crypto pki certificates (Optional) Displays information about your
certificates, the certificates of the CA, and RA
Example: certificates.

Router# show crypto pki

certificates

What to Do Next

If you configured the router to reenroll with a Cisco IOS CA, you should configure the Cisco
IOS certificate server to accept enrollment requests only from clients already enrolled with the
specified third-party vendor CA trustpoint to take advantage of this functionality. For more
information, see the module “ Configuring and Managing a Cisco IOS Certificate Server for PKI
Deployment.”

Configuring Certificate Enrollment in a Two-Tier PKI Environment

The feature enables sub-CAs to issue certificates to their clients when a root CA is offline. The
root certificate can be imported through the CLI first, and then it is used to validate the issuing
sub CA certificate configured under the trustpoint.

Enable revocation checking as per your environment before performing the following
Note tasks.

For importing the ROOT-CA through terminal, perform the following steps:

enable
!
configure terminal
!
crypto pki trustpoint ROOT-CA
revocation-check none
enrollment terminal
!
crypto pki authenticate ROOT-CA
!
exit

For authenticating SUB-CA without specifying or accepting the fingerprint.

enable
!
configure terminal
!
crypto pki trustpoint SUB-CA
revocation-check none
enrollment url url
chain-validation continue ROOT-CA
exit
!
crypto pki authenticate SUB-CA
exit

Configuration Examples for PKI Certificate Enrollment Requests

Configuring Certificate Enrollment or Autoenrollment Example

The following example shows the configuration for the “mytp-A” certificate server and its
associated trustpoint, where RSA keys generated by the initial autoenrollment for the trustpoint
will be stored on a USB token, “usbtoken0”:

crypto pki server mytp-A

database level complete
issuer-name CN=company, L=city, C=country
grant auto
! Specifies that certificate requests will be granted automatically.
!
crypto pki trustpoint mytp-A
revocation-check none
rsakeypair myTP-A
 storage usbtoken0:
! Specifies that keys will be stored on usbtoken0:.
on usbtoken0:

! Specifies that keys generated on initial auto enroll will be generated on and stored on !
usbtoken0:

Configuring Autoenrollment Example

The following example shows how to configure the router to automatically enroll with a CA on
startup, enabling automatic rollover, and how to specify all necessary enrollment information in
the configuration:

crypto pki trustpoint trustpt1

enrollment url [Link]
subject-name OU=Spiral Dept., O=[Link]
ip-address ethernet-0
serial-number none
usage ike
auto-enroll regenerate
password password1
rsa-key trustpt1 2048
!
crypto pki certificate chain trustpt1
certificate pki 0B
30820293 3082023D A0030201 0202010B 300D0609 2A864886 F70D0101 04050030
79310B30 09060355 04061302 5553310B 30090603 55040813 02434131 15301306
0355040A 130C4369 73636F20 53797374 656D3120 301E0603 55040B13 17737562
6F726420 746F206B 6168756C 75692049 50495355 31243022 06035504 03131B79
6E692D75 31302043 65727469 66696361 7465204D 616E6167 6572301E 170D3030
30373134 32303536 32355A17 0D303130 37313430 31323834 335A3032 310E300C
06035504 0A130543 6973636F 3120301E 06092A86 4886F70D 01090216 11706B69
2D343562 2E636973 636F2E63 6F6D305C 300D0609 2A864886 F70D0101 01050003
4B003048 024100B3 0512A201 3B4243E1 378A9703 8AC5E3CE F77AF987 B5A422C4
15E947F6 70997393 70CF34D6 63A86B9C 4347A81A 0551FC02 ABA62360 01EF7DD2
6C136AEB 3C6C3902 03010001 A381F630 81F3300B 0603551D 0F040403 02052030
1C060355 1D110415 30138211 706B692D 3435622E 63697363 6F2E636F 6D301D06
03551D0E 04160414 247D9558 169B9A21 23D289CC 2DDA2A9A 4F77C616 301F0603
551D2304 18301680 14BD742C E892E819 1D551D91 683F6DB2 D8847A6C 73308185
0603551D 1F047E30 7C307AA0 3CA03AA4 38303631 0E300C06 0355040A 13054369
73636F31 24302206 03550403 131B796E 692D7531 30204365 72746966 69636174
65204D61 6E616765 72A23AA4 38303631 0E300C06 0355040A 13054369 73636F31
24302206 03550403 131B796E 692D7531 30204365 72746966 69636174 65204D61
6E616765 72300D06 092A8648 86F70D01 01040500 03410015 BC7CECF9 696697DF
E887007F 7A8DA24F 1ED5A785 C5C60452 47860061 0C18093D 08958A77 5737246B
0A25550A 25910E27 8B8B428E 32F8D948 3DD1784F 954C70
quit

In this example, keys are neither regenerated nor rolled over.

Note

Configuring Certificate Autoenrollment with Key Regeneration Example

The following example shows how to configure the router to automatically enroll with the CA
named “trustme1” on startup and enable automatic rollover. The regenerate keyword is issued, so
a new key will be generated for the certificate and reissued when the automatic rollover process
is initiated. The renewal percentage is configured as 90 so if the certificate has a lifetime of one
year, a new certificate is requested 36.5 days before the old certificate expires. The changes
made to the running configuration are saved to the NVRAM startup configuration because
autoenrollment will not update NVRAM if the running configuration has been modified but not
written to NVRAM.

crypto pki trustpoint trustme1

enrollment url [Link]
subject-name OU=Spiral Dept., O=[Link]
ip-address ethernet0
serial-number none
auto-enroll 90 regenerate
password password1
rsakeypair trustme1 2048
exit
crypto pki authenticate trustme1
copy system:running-config nvram:startup-config

Configuring Cut-and-Paste Certificate Enrollment Example

The following example shows how to configure certificate enrollment using the manual cut-and-
paste enrollment method:

Router(config)#
crypto pki trustpoint TP
Router(ca-trustpoint)#
enrollment terminal
Router(ca-trustpoint)#
crypto pki authenticate TP
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICNDCCAd6gAwIBAgIQOsCmXpVHwodKryRoqULV7jANBgkqhkiG9w0BAQUFADA5
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEA
xMJ
bXNjYS1yb290MB4XDTAyMDIxNDAwNDYwMVoXDTA3MDIxNDAwNTQ0OFowOTEL
MAkG
A1UEBhMCVVMxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxEjAQBgNVBAMTCW1zY2
Et
cm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCix8nIGFg+wvy3BjFbVi25wYoG
K2N0HWWHpqxFuFhqyBnIC0OshIn9CtrdN3JvUNHr0NIKocEwNKUGYmPwWGTfAgMB
AAGjgcEwgb4wCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYE
FKIacsl6dKAfuNDVQymlSp7esf8jMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9t
c2NhLXJvb3QvQ2VydEVucm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8v
XFxtc2NhLXJvb3RcQ2VydEVucm9sbFxtc2NhLXJvb3QuY3JsMBAGCSsGAQQBgjcV
AQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAeuZkZMX9qkoLHfETYTpVWjZPQbBmwN
RA
oJDSdYdtL3BcI/uLL5q7EmODyGfLyMGxuhQYx5r/40aSQgLCqBq+yg==
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint: D6C12961 CD78808A 4E02193C 0790082A
% Do you accept this certificate? [yes/no]:
y
Trustpoint CA certificate accepted.
% Certificate successfully imported
Router(config)#
crypto pki enroll TP
% Start certificate enrollment..
% The subject name in the certificate will be:
[Link]
% Include the router serial number in the subject name? [yes/no]:
n
% Include an IP address in the subject name? [no]:
n
Display Certificate Request to terminal? [yes/no]:
y
Signature key certificate request -
Certificate Request follows:
MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxdhXFDiWAn/hIZs9zfOtssKA
daoWYu0ms9Fe/Pew01dh14vXdxgacstOs2Pr5wk6jLOPxpvxOJPWyQM6ipLmyVxv
ojhyLTrVohrh6Dnqcvk+G/5ohss9o9RxvONwx042pQchFnx9EkMuZC7evwRxJEqR
mBHXBZ8GmP3jYQsjS8MCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQ
H/
BAQDAgeAMA0GCSqGSIb3DQEBBAUAA4GBAMT6WtyFw95POY7UtF+YIYHiVRUf4SC
q
hRIAGrljUePLo9iTqyPU1Pnt8JnIZ5P5BHU3MfgP8sqodaWub6mubkzaohJ1qD06
O87fnLCNid5Tov5jKogFHIki2EGGZxBosUw9lJlenQdNdDPbJc5LIWdfDvciA6jO
Nl8rOtKnt8Q+
!
!
!
Redisplay enrollment request? [yes/no]:
Encryption key certificate request -
Certificate Request follows:
MIIBhTCB7wIBADAlMSMwIQYJKoZIhvcNAQkCFhRTYW5kQmFnZ2VyLmNpc2NvLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwG60QojpDbzbKnyj8FyTiOcv
THkDP7XD4vLT1XaJ409z0gSIoGnIcdFtXhVlBWtpq3/O9zYFXr1tH+BMCRQi3Lts
0IpxYa3D9iFPqev7SPXpsAIsY8a6FMq7TiwLObqiQjLKL4cbuV0Frjl0Yuv5A/Z+
kqMOm7c+pWNWFdLe9lsCAwEAAaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQ
H/
BAQDAgUgMA0GCSqGSIb3DQEBBAUAA4GBACF7feURj/fJMojPBlR6fa9BrlMJx+2F
H91YM/CIiz2n4mHTeWTWKhLoT8wUfa9NGOk7yi+nF/F7035twLfq6n2bSCTW4aem
8jLMMaeFxwkrV/ceQKrucmNC1uVx+fBy9rhnKx8j60XE25tnp1U08r6om/pBQABU
eNPFhozcaQ/2
!
!
!
Redisplay enrollment request? [yes/no]:
n
Router(config)#
crypto pki import TP certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIDajCCAxSgAwIBAgIKFN7C6QAAAAAMRzANBgkqhkiG9w0BAQUFADA5MQswCQY
D
VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1
y
b290MB4XDTAyMDYwODAxMTY0MloXDTAzMDYwODAxMjY0MlowJTEjMCEGCSqGS
Ib3
DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMXYVxQ4lgJ/4SGbPc3zrbLCgHWqFmLtJrPRXvz3sNNXYdeL13cYGnLL
TrNj6+cJOoyzj8ab8TiT1skDOoqS5slcb6I4ci061aIa4eg56nL5Phv+aIbLPaPU
cbzjcMdONqUHIRZ8fRJDLmQu3r8EcSRKkZgR1wWfBpj942ELI0vDAgMBAAGjggHM
MIIByDALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFL8Quz8dyz4EGIeKx9A8UMNHLE
4s
MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290
ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz
Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu
cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy
dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF
BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh
LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu
cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAJo2
r6sHPGBdTQX2EDoJpR/A2UHXxRYqVSHkFKZw0z31r5JzUM0oPNUETV7mnZlYNVRZ
CSEX/G8boi3WOjz9wZo=
% Router Certificate successfully imported
Router(config)#
crypto pki import TP cert
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
MIIDajCCAxSgAwIBAgIKFN7OBQAAAAAMSDANBgkqhkiG9w0BAQUFADA5MQswCQ
YD
VQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1
y
b290MB4XDTAyMDYwODAxMTY0NVoXDTAzMDYwODAxMjY0NVowJTEjMCEGCSqG
SIb3
DQEJAhMUU2FuZEJhZ2dlci5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMButEKI6Q282yp8o/Bck4jnL0x5Az+1w+Ly09V2ieNPc9IEiKBpyHHR
bV4VZQVraat/zvc2BV69bR/gTAkUIty7bNCKcWGtw/YhT6nr+0j16bACLGPGuhTK
u04sCzm6okIyyi+HG7ldBa45dGLr+QP2fpKjDpu3PqVjVhXS3vZbAgMBAAGjggHM
MIIByDALBgNVHQ8EBAMCBSAwHQYDVR0OBBYEFPDO29oRdlEUSgBMg6jZR+YFR
Wlj
MHAGA1UdIwRpMGeAFKIacsl6dKAfuNDVQymlSp7esf8joT2kOzA5MQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczESMBAGA1UEAxMJbXNjYS1yb290
ghA6wKZelUfCh0qvJGipQtXuMCIGA1UdEQEB/wQYMBaCFFNhbmRCYWdnZXIuY2lz
Y28uY29tMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9tc2NhLXJvb3QvQ2VydEVu
cm9sbC9tc2NhLXJvb3QuY3JsMDGgL6AthitmaWxlOi8vXFxtc2NhLXJvb3RcQ2Vy
dEVucm9sbFxtc2NhLXJvb3QuY3JsMIGUBggrBgEFBQcBAQSBhzCBhDA/BggrBgEF
BQcwAoYzaHR0cDovL21zY2Etcm9vdC9DZXJ0RW5yb2xsL21zY2Etcm9vdF9tc2Nh
LXJvb3QuY3J0MEEGCCsGAQUFBzAChjVmaWxlOi8vXFxtc2NhLXJvb3RcQ2VydEVu
cm9sbFxtc2NhLXJvb3RfbXNjYS1yb290LmNydDANBgkqhkiG9w0BAQUFAANBAHaU
hyCwLirUghNxCmLzXRG7C3W1j0kSX7a4fX9OxKR/Z2SoMjdMNPPyApuh8SoT2zBP
ZKjZU2WjcZG/nZF4W5k=
% Router Certificate successfully imported

You can verify that the certificate was successfully imported by issuing the show crypto pki
certificates command:

Router# show crypto pki certificates

Certificate
Status: Available
Certificate Serial Number: 14DECE05000000000C48
 Certificate Usage: Encryption
Issuer:
CN = TPCA-root
O = Company
C = US
Subject:
Name: [Link]
OID.1.2.840.113549.1.9.2 = [Link]
CRL Distribution Point:
[Link]
Validity Date:
start date: 18:16:45 PDT Jun 7 2002
end date: 18:26:45 PDT Jun 7 2003
renew date: 16:00:00 PST Dec 31 1969
Associated Trustpoints: TP
Certificate
Status: Available
Certificate Serial Number: 14DEC2E9000000000C47
Certificate Usage: Signature
Issuer:
CN = tpca-root
O = company
C = US
Subject:
Name: [Link]
OID.1.2.840.113549.1.9.2 = [Link]
CRL Distribution Point:
[Link]
Validity Date:
start date: 18:16:42 PDT Jun 7 2002
end date: 18:26:42 PDT Jun 7 2003
renew date: 16:00:00 PST Dec 31 1969
Associated Trustpoints: TP
CA Certificate
Status: Available
Certificate Serial Number: 3AC0A65E9547C2874AAF2468A942D5EE
Certificate Usage: Signature
Issuer:
CN = tpca-root
O = Company
C = US
Subject:
CN = tpca-root
O = company
C = US
CRL Distribution Point:
 [Link]
Validity Date:
start date: 16:46:01 PST Feb 13 2002
end date: 16:54:48 PST Feb 13 2007
Associated Trustpoints: TP

Configuring Manual Certificate Enrollment with Key Regeneration Example

The following example shows how to regenerate new keys with a manual certificate enrollment
from the CA named “trustme2”:

crypto pki trustpoint trustme2

enrollment url [Link]
subject-name OU=Spiral Dept., O=[Link]
ip-address ethernet0
serial-number none
regenerate
password password1
rsakeypair trustme2 2048
exit
crypto pki authenticate trustme2
crypto pki enroll trustme2

Creating and Verifying a Persistent Self-Signed Certificate Example

The following example shows how to declare and enroll a trustpoint named “local” and generate
a self-signed certificate with an IP address:

crypto pki trustpoint local

enrollment selfsigned
end
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
crypto pki enroll local
Nov 29 20:51:13.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
Nov 29 20:51:13.267: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: ethernet 0
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created

Note
A router can have only one self-signed certificate. If you attempt to enroll a trustpoint
 configured for a self-signed certificate and one already exists, you receive a notification
and are asked if you want to replace it. If so, a new self-signed certificate is generated to
replace the existing one.

Enabling the HTTPS Server Example

The following example shows how to enable the HTTPS server and generate a default trustpoint
because one was not previously configured:

configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ip http secure-server
% Generating 1024 bit RSA keys ...[OK]
*Dec 21 19:14:15.421:%PKI-4-NOAUTOSAVE:Configuration was modified. Issue "write
memory" to save new certificate
Router(config)#

You need to save the configuration to NVRAM if you want to keep the self-signed
Note certificate and have the HTTPS server enabled following router reloads.

The following message also appears:

*Dec 21 19:14:10.441:%SSH-5-ENABLED:SSH 1.99 has been enabled

Creation of the key pair used with the self-signed certificate causes the Secure Shell (SSH)
server to start. This behavior cannot be suppressed. You may want to modify your Access
Note Control Lists (ACLs) to permit or deny SSH access to the router. You can use the ip ssh
rsa keypair-name unexisting-key-pair-name command to disable the SSH server.

Verifying the Self-Signed Certificate Configuration Example

The following example displays information about the self-signed certificate that you just
created:
Router# show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-3326000105
Subject:
Name: IOS-Self-Signed-Certificate-3326000105
cn=IOS-Self-Signed-Certificate-3326000105
Validity Date:
start date: 19:14:14 GMT Dec 21 2004
end date: 00:00:00 GMT Jan 1 2020
Associated Trustpoints: TP-self-signed-3326000105

The number 3326000105 is the router’s serial number and varies depending on the router’s
Note actual serial number.

The following example displays information about the key pair corresponding to the self-signed
certificate:

Router# show crypto key mypubkey rsa

% Key pair was generated at: 19:14:10 GMT Dec 21 2004
Key name: TP-self-signed-3326000105
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B88F70
6BC78B6D 67D6CFF3 135C1D91 8F360292 CA44A032 5AC1A8FD 095E4865 F8C95A2B
BFD1C2B7 E64A3804 9BBD7326 207BD456 19BAB78B D075E78E 00D2560C B09289AE
6DECB8B0 6672FB3A 5CDAEE92 9D4C4F71 F3BCB269 214F6293 4BA8FABF 9486BCFC
2B941BCA 550999A7 2EFE12A5 6B7B669A 2D88AB77 39B38E0E AA23CB8C B7020301
0001
% Key pair was generated at: 19:14:13 GMT Dec 21 2004
Key name: [Link]
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C5680E 89777B42
463E5783 FE96EA9E F446DC7B 70499AF3 EA266651 56EE29F4 5B003D93 2FC9F81D
8A46E12F 3FBAC2F3 046ED9DD C5F27C20 1BBA6B9B 08F16E45 C34D6337 F863D605
 34E30F0E B4921BC5 DAC9EBBA 50C54AA0 BF551BDD 88453F50 61020301 0001

The second key pair with the name [Link] is the SSH key pair
Note and is generated when any key pair is created on the router and SSH starts up.

The following example displays information about the trustpoint named “local”:

Router# show crypto pki trustpoints

Trustpoint local:
Subject Name:
serialNumber=C63EBBE9+ipaddress=[Link]+hostname=[Link]
Serial Number: 01
Persistent self-signed certificate trust point

Configuring Direct HTTP Enrollment Example

The following example show how to configure an enrollment profile for direct HTTP enrollment
with a CA server:

crypto pki trustpoint Entrust

enrollment profile E
serial
crypto pki profile enrollment E
authentication url [Link]
authentication command GET /certs/[Link]
enrollment url [Link]
enrollment command POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
parameter 1 value aaaa-bbbb-cccc
parameter 2 value 5001

Configuring Certificate Enrollment in a Two-Tier PKI Environment Example

Example of importing the ROOT-CA via terminal.

(config)#crypto pki trustpoint ROOT-CA

(ca-trustpoint)#revocation-check none
(ca-trustpoint)#enrollment terminal
(config)#crypto pki authenticate ROOT-CA

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIQIfTArEE1yKZPXHaAVgDk5jANBgkqhkiG9w0BAQsFADBN
MRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIdnBuLWVhc3
Qx
HDAaBgNVBAMTE3Zwbi1lYXN0LXphY2ttY2ktQ0EwHhcNMTgxMjIwMDAwNjMyWhcN
MjgxMjIwMDAxNjMyWjBNMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZ
Py
LGQBGRYIdnBuLWVhc3QxHDAaBgNVBAMTE3Zwbi1lYXN0LXphY2ttY2ktQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Gdns9lU2HHc+XYhrmZKg6+Xo
5kNflu6mMgCfZ7ZiAKxZ03whJWZqNC7JRZQ+LkIJAcBUSf2mSJWRp+HVgI6k4Zf7
bMgIBq629HT8XmFLrr3lfh1lfL7WqI1Uez7/PEzjsw09y/m/WiSnrlgR3+PvyDbH
E86A6JnmtTNIs4qawUe72BlnEzwwRaFNi7VQz7GQw3CUo+RX9wtFYjABTyTUM/BA
MP47pI8CVh1jHVHqHcbqpyd97j1/8n1d/NCmcHKIg2hnKEO1Hx8oK7QIHe1rkryl
+r0ol2fS3CGgY000+FINs3qw4h8H8xfmsc5cs8lJCIbZGJhMTXq6u4Ecp+N1AgMB
AAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBTb
zvfa7aNZspz3GwJCvKDIKO8KFTAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0B
AQsFAAOCAQEAgTIPTauHsPp7h1v/iFXkbVV1aG7O8/IaJG0sCr0f9/nsfM9HO0Jm
LP+twy5KkFa7I6u4vMlMlfNyujS60Fqnw3m8UJCy2SkYVwlGrBddN+BQbnkZ460M
sYfaynFBsvsbmmaLEqUQ3t9cmNCskXoda+FffyFTwAUBFzV66BGKpn6Y7oyIghF5
NLjjgWPVmRy7RKM4IKe9J0+oEmnugwtdfHgiFdX+d6qPovjbApj2j6N4+Cv6qHDO
/c+wUXRxz08eFNOqHNJipk70OXMrUh4UaWMnM/CYA9E1sjjSAWhBl4ii/+fiaILw
xgof+2mmIzafzFZz+eVf5kgwpV07GlZlng==
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 99182E1E 96FB0595 DF86BFCE 3C781CF5
Fingerprint SHA1: 6E55B878 9AA3B603 D689AC25 F027615E 0C88E6E4

% Do you accept this certificate? [yes/no]: yes

Authenticating SUB-CA without having to specify or accept the fingerprint.

(config)#crypto pki trustpoint SUB-CA

(ca-trustpoint)#enrollment url [Link]
(ca-trustpoint)#chain-validation continue ROOT-CA
(ca-trustpoint)#revocation-check none

(ca-trustpoint)#crypto pki authenticate SUB-CA

Certificate has the following attributes:
Fingerprint MD5: 5C38CB0A 050AAE87 84A08A75 5F7084B8
 Fingerprint SHA1: EB829470 B8B9E26E 4457F346 7A3E957C C623C6F9
Certificate validated - Signed by existing trustpoint CA certificate.

Trustpoint CA certificate accepted.