Installing a CA certificate
Prerequisites
- Root certificate of a CA.
Revocation checking URLs for the CA. (Optional)
Procedure
-
Create a TA profile with the command
crypto pki ta-profile
. This switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that is used to validate leaf certificates installed on the switch, and the certificates of clients communicating with the switch. -
Enable certificate revocation checking with the command
revocation-check ocsp
. -
Most certificates contain revocation checking URLs for OCSP. If you want to override these URLs, configure custom revocation checking URLs with the command
ocsp url
. -
Import the root certificate of the CA with the command
ta-certificate
.
Example
This example installs the root certificate my-root-cert and defines custom revocation checking URLs:
switch(config)# crypto pki ta-profile my-root-cert switch(config-ta-my-root-cert)# revocation-check ocsp switch(config-ta-my-root-cert)# ocsp url primary http://ocsp-server.my-ca.com switch(config-ta-my-root-cert)# ocsp url secondary http://ocsp-server2.my-ca.com switch(config-ta-my-root-cert)# ta-certificate Paste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBh switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY2tsaW4xDDAKBg switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDVQQDDCFocG5zdz switch(config-ta-cert)# OTQucm9zZS5yZGxhYnMuaHBlY29ycC5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyZW switch(config-ta-cert)# YW4uaHVhbmdAaHBlLmNvbTAeFw0xODAxMTIxODMwNDZaFw0yMDExMDExODMwND switch(config-ta-cert)# MIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UEBw switch(config-ta-cert)# Um9ja2xpbjEMMAoGA1UECgwDSFBOMRYwFAYDVQQLDA1IUE4gUm9zZXZpbGxlMQ switch(config-ta-cert)# DAYDVQQDDAU4NDAwWDEkMCIGCSqGSIb3DQEJARYVZnJlZW1hbi5odWFuZ0BocG switch(config-ta-cert)# Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy55o/a1PA3s40/ switch(config-ta-cert)# U2tr7EBWczMspmdWxVpr4oNMeezY8afNU3nD8Jv6kXtM6zBIDLBtghO3uPCoIO switch(config-ta-cert)# 9LgnJ25VMo8qe00h10J55ZkKu7DYEB1aCmAvhOzhzsh3efP2Ee49K83iGyymuX switch(config-ta-cert)# i5vM4iulcA5y2fo5sQZoQezFkKMjyZ/u8ffqS3w5BdrFbIyD0ZungFCFN6NTe6 switch(config-ta-cert)# 67W4o+sLC5i1ZXKO6CC4MEcD3c7qrrcp6W9/0ub3oJsbGDPtRNmCG/EC98oFxJ switch(config-ta-cert)# 6OLAYduce4/iEm7yVMN901bG2wMJMDRNSySwk+8EC/oHguAGHwQhiq7d+cU0mB switch(config-ta-cert)# LdGpLwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXrW/nxQmAN/fozq0mgUuqtX switch(config-ta-cert)# yS2JaP2xg2xqG/Gn3NYn1F52iqdpbxaACOnbF3y1FFpw3zEPVodGDcOg4QLdvZ switch(config-ta-cert)# BoSMPULi+DlDeT/3xzzrA2LiiF4MrXhOMdEzpTIxXYdFOmoOAsFeiJ+Eo2/41D switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2MDL8JkpxmTOVJVyTO switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5E8DH73nW/moehBKcE4O1zy switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYoCD/TMsAW0nG7yYHWkEOQu9stg switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Issuer: C=US, ST=California, L=Rocklin, O=Mys, OU=Mysite, CN=mysite.com/emailAddress=test.ca@mysite.com Subject: C=US, ST=California, L=Rocklin, O=Mys, OU=Mysite, CN=8400/emailAddress=test.ca@mysite.com Serial Number: 12183621634631568498 (0xaea41787d5945772) Do you want to accept this certificate (y/n)? y TA certificate accepted. switch(config-ta-my-root-cert)#