From: Mark Snow (mark@ipexpert.com)
Date: Tue Apr 24 2007 - 19:19:59 ART
Yes it is possible.
In the IOS Router under your crypto pki trustpoint - you need to use the
command 'enrollment terminal' and then you will be able to cut and past the
base64 exported certificate directly into the terminal.
As follows:
<snip>
R1(config)#crypto pki trustpoint MYCERT
R1(ca-trustpoint)#revocation-check none
R1(ca-trustpoint)#enrollment terminal
R1(config)#crypto pki authenticate MYCERT
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
MIIDuzCCAqOgAwIBAgIKG7eDXQABAAAACTANBgkqhkiG9w0BAQUFADAQMQ4wDAYD
VQQDEwVQN0FDUzAeFw0wNzA0MjQyMjExMDdaFw0wODA0MjQyMjIxMDdaMBIxEDAO
BgNVBAMTB01ZQ0VSVDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO1IuRh+
lc0Jm45J1AIM9cHxrgRzdWDoBEMnzebWcSh2AIvcNXZjLDj2jLCBU9VTlPrdeIyy
am/JmN1ps8v0clOh+03OUXZ1aKfh7xqFb0/fMoSxj+SGrWOBH4wBRRNuKnyj+O74
dFDB+oGqC4cJJC6JzU+xQGjUBLS1WmNrkr2/AgMBAAGjggGXMIIBkzAOBgNVHQ8B
Af8EBAMCBPAwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZI
hvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBSUR0pXJGvz
oaAG2Yq5KMk9lcI3YjATBgNVHSUEDDAKBggrBgEFBQgCAjAfBgNVHSMEGDAWgBRO
XbEozrrbJ3sCyw9b89IHqwA7+DBfBgNVHR8EWDBWMFSgUqBQhiVodHRwOi8vcDct
YWNzL0NlcnRFbnJvbGwvUDdBQ1MoMSkuY3JshidmaWxlOi8vXFxQNy1BQ1NcQ2Vy
dEVucm9sbFxQN0FDUygxKS5jcmwwgYQGCCsGAQUFBwEBBHgwdjA4BggrBgEFBQcw
AoYsaHR0cDovL3A3LWFjcy9DZXJ0RW5yb2xsL1A3LUFDU19QN0FDUygxKS5jcnQw
OgYIKwYBBQUHMAKGLmZpbGU6Ly9cXFA3LUFDU1xDZXJ0RW5yb2xsXFA3LUFDU19Q
N0FDUygxKS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAGRVZdAaj4zbDf7S7RqNC2v9
WOwgGjeSrGTTGdOsmTJNl1NbW9RQRYooUgZkDz1J6N0H0iFpOrHGX6RTjFme5SWh
rFeJ1bH6kOJsdEt8XmpqqBSdhngbqtG+mCU6kiDVcxKh3d7/s71jS7OTVb3hX3HS
hkBhK/e54gjax7XvMi6L637o20/QaAVwD/8UJdAwucqexWGysN8k8Li/pDIvCRfN
7QqP+q3Da/Evt2IaBeNt5vA8qRRU8TeTBlZH9y/cPKAgNaqkPB/F/4O3kxXHdnit
DJMjPXDh/aNk9CubyaU2HWa4FJqX311SDLY04OrrrAbpV7iw0W9axghoyE2rw7I=
Trustpoint 'MYCERT' is a subordinate CA and holds a non self signed cert
Trustpoint 'MYCERT' is a subordinate CA.
but certificate is not a CA certificate.
Manual verification required
Certificate has the following attributes:
Fingerprint MD5: C3004B1F F930D34D 02EEC9C2 886CDF77
Fingerprint SHA1: E00B0443 1CDC5225 E8A21D3E BB896AB1 76DFC3C1
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
% Certificate successfully imported
R1(config)#
</snip>
Hope this helps!
Mark Snow
Senior Technical Instructor - IPexpert, Inc.
CCIE #14073 (Voice, Security)
URL: http://www.IPexpert.com
Toll Free: +1.866.225.8064
International: +1.810.326.1444
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edward Norton
Sent: Tuesday, April 24, 2007 8:35 AM
To: security@groupstudy.com; ccielab@groupstudy.com
Subject: certificate enrollement on IOS
Guys ;
is it possible to install a certificate on a router manually ?? lets say i
created the certificate on MS CA and want to install it manually along with
the CA root certificate on router ..if that is possible ..can anyone point
to a link explains how ? unfortunetaly most links explain how to enroll
automatically using IOS CA
thanks in advance
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:37 ART