% The 'show crypto ca certificate' command will also show the fingerprint.ģ640(config)# Fingerprint: D9CE886E B4B76115 B7149128 6658E7CAĠ0:58:17: CRYPTO_PKI: status = 102: certificate request pendingĠ0:58:39: CRYPTO_PKI: status = 102: certificate request pendingĠ0:59:42: %CRYPTO-6-CERTRET: Certificate received from Certificate Authority % The certificate request fingerprint will be displayed. % Certificate request sent to Certificate Authority
% The subject name in the certificate will be: !- Enroll to CA server and get router's own certificate.
So that the router will try to enroll !- to the CA server automatically when its certificates !- expire, auto-enroll was turned on.ģ640(ca-trustpoint)# crl query ldap://171.69.89.126ģ640(ca-trustpoint)# usage ike !- Retrieves CA and registration authority (RA) !- certificates from the CA server.Ĭertificate has the following attributes:įingerprint: 0D8E6CF8 C63D7068 3BA4B90A 16054812
Note that in Cisco IOS Software !- Release 12.2(8)T, the crypto ca trustpoint command !- replaces the crypto ca identity command from previous !- Cisco IOS versions. Choosing a key modulus greater than 512 may take The name for the keys will be: Ĭhoose the size of the key modulus in the range of 360 to 2048 for your !- The fully qualified domain name (FQDN) will be used !- as the identity of the router during certificate enrollment.ģ640(config)# ip domain-name !- Generate RSA (encryption and authentication) keys.
!- Define a hostname and domain name for the router. This document uses the configurations shown below.Ĭertificate Enrollment for the Cisco VPN ClientĬonfiguring a VPN Connection on the Cisco VPN ClientĬertificate Enrollment on IOS Router 3640 This document uses the network setup shown in the diagram below. Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only). In this section, you are presented with the information to configure the features described in this document. If you are working in a live network, ensure that you understand the potential impact of any command before using it. All of the devices used in this document started with a cleared (default) configuration. The information presented in this document was created from devices in a specific lab environment. The information in this document is based on the software and hardware versions below.Ī Cisco 3640 router running Cisco IOS software version 12.2(8)T (IOS image: )Ī Cisco VPN Client 4.0.1 on a PC running Windows 2000Īn Entrust CA server used as the CA server
There are no specific prerequisites for this document. Before You Begin Conventionsįor more information on document conventions, see the Cisco Technical Tips Conventions. The configuration example in this document also highlights the certification authority (CA) enrollment procedure for both the Cisco IOS router and the Cisco VPN Client using Entrust as the CA server. This feature is supported in Cisco IOS software releases 12.2(8)T and later.
This document demonstrates how to configure an IPSec VPN tunnel between a Cisco IOS® router and a Cisco VPN Client 3.x using Entrust certificates.