`crypto pki enroll-est-certificate certificate-name ta-profile`

Syntax

crypto pki enroll-est-certificate <profile-name> certificate-name <certificate-name> 
[force | ta-profile <ta-profile-name>] usage {all | openflow | web | captive-portal | 
ssh-client | ssh-server | syslog | radsec-client}{[key-type rsa | (key-type ecdsa <curve-size>)] | [subject (common-name <cn_value>) | (include-serial-number) 
(org <org-value>)(org-unit <org-unit-value>) | (locality <location_value>) | (state <state-value>) 
(country <country-code>)] | [valid-start <date> valid-end <date>]} 

no crypto pki enroll-est-certificate <profile-name> certificate-name <cert-name> ta-profile <profile-name>

Description

Configures TA profile, certificate-name, and install certificates sent by EST server.

The no form of this command stops ongoing enrollment process. If enrollment is completed, the command removes the mapping between EST server and TA profile.

Command context

config

Parameters

certificate-name: Specifies the certificate name.

force: Re-enrolls certificate with EST server, if the previous enrollment fails.

profile-name: Specifies EST server profile name.

ta-profile-name: Specifies the TA profile name.

rsa|ecdsa: Specifies the key type.

curve-size: Specifies the elliptic curve size. Values allowed are 256 to 384. Default is 256.

cn-value: Specifies the common name for the certificate.

org-value: Specifies the organization name for the certificate.

org-unit-value: Specifies the organization unit for the certificate.

location-value: Specifies the location of the organization.

state-value: Specifies the state.

country-code: Specifies the country/region code.

date: Specifies the start and end validity date for the certificate.

include-serial-number: Specifies the switch serial number and MAC address.

Examples

switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1


 key-type              Specify the key-type.
 subject               Subject fields of the certificate, the default values
                       are specified in the identity profile.
 usage                 The intended application, default is web.
 valid-start           Certificate validity start date (MM/DD/YYYY).
 
switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type

 ecdsa                 Use the ECDSA key.
 rsa                   Use the RSA key.
 subject               Subject fields of the certificate, the default values
                       are specified in the identity profile.
 usage                 The intended application, default is web.
 valid-start           Certificate validity start date (MM/DD/YYYY).

switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa

 1024
 2048

switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa 2048

 subject               Subject fields of the certificate, the default values
                       are specified in the identity profile.
 usage                 The intended application, default is web.
 valid-start           Certificate validity start date (MM/DD/YYYY).

switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa 2048 subject

 common-name           To specify common name
 country               To specify the two letter ISO 3166-1 country code
 include-serial-number To specify switch serial number and base mac-address
 locality              To specify locality
 org                   To specify organization
 org-unit              To specify organization unit
 state                 To specify state
 usage                 The intended application, default is web.
 valid-start           Certificate validity start date (MM/DD/YYYY).


switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa 2048 subject common-name CN1 country us 
include-serial-number locality LA org CD org-unit AB state CAL usage

 all                   Used by all applications.
 openflow              Used by openflow application.
 web                   Used by web application.
 captive-portal        Used by captive-portal application.
 ssh-client            Used by ssh-client application.
 ssh-server            Used by ssh-server application.
 syslog                Used by syslog application.
 radsec-client         Used by RADsec application.

switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa 2048 subject common-name CN1 country us 
include-serial-number locality LA org CD org-unit AB state CAL usage syslog

 valid-start           Certificate validity start date (MM/DD/YYYY).
 <cr>

switch(config)#crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa 2048 subject common-name CN1 country us include-serial-number locality LA org CD org-unit AB state CAL usage syslog valid-start 03/02/2019

 valid-end             Certificate validity end date (MM/DD/YYYY).

switch(config)# crypto pki enroll-est-certificate test1 certificate-name cer3 ta-profile ta1 key-type rsa 2048 subject common-name CN1 country us 
include-serial-number locality LA org CD org-unit AB state CAL usage syslog valid-start 03/02/2019 valid-end 03/20/2025

switch(config)#no crypto pki ta-profile ta1
TA profile ta1 cannot be deleted. Remove EST profile mapping to this TA.

switch(config)#crypto pki clear certificate-name cer3
Certificate "cer3" will be removed. Continue [y/n]? y
Certificate "cer3" cannot be deleted. Remove EST profile mapping to this certificate.