Installing a CA certificate
Prerequisites
- Root certificate of a CA.
Revocation checking URLs for the CA. (Optional)
Procedure
-
Create a TA profile with the command
crypto pki ta-profile. This switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that is used to validate leaf certificates installed on the switch, and the certificates of clients communicating with the switch. -
Enable certificate revocation checking with the command
revocation-check ocsp. -
Most certificates contain revocation checking URLs for OCSP. If you want to override these URLs, configure custom revocation checking URLs with the command
ocsp url. -
Import the root certificate of the CA with the command
ta-certificate.
Example
This example installs the root certificate my-root-cert and defines custom revocation checking URLs:
switch(config)# crypto pki ta-profile my-root-cert
switch(config-ta-my-root-cert)# revocation-check ocsp
switch(config-ta-my-root-cert)# ocsp url primary http://ocsp-server.my-ca.com
switch(config-ta-my-root-cert)# ocsp url secondary http://ocsp-server2.my-ca.com
switch(config-ta-my-root-cert)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
switch(config-ta-cert)# -----BEGIN CERTIFICATE-----
switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBh
switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY2tsaW4xDDAKBg
switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDVQQDDCFocG5zdz
switch(config-ta-cert)# OTQucm9zZS5yZGxhYnMuaHBlY29ycC5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyZW
switch(config-ta-cert)# YW4uaHVhbmdAaHBlLmNvbTAeFw0xODAxMTIxODMwNDZaFw0yMDExMDExODMwND
switch(config-ta-cert)# MIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4GA1UEBw
switch(config-ta-cert)# Um9ja2xpbjEMMAoGA1UECgwDSFBOMRYwFAYDVQQLDA1IUE4gUm9zZXZpbGxlMQ
switch(config-ta-cert)# DAYDVQQDDAU4NDAwWDEkMCIGCSqGSIb3DQEJARYVZnJlZW1hbi5odWFuZ0BocG
switch(config-ta-cert)# Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy55o/a1PA3s40/
switch(config-ta-cert)# U2tr7EBWczMspmdWxVpr4oNMeezY8afNU3nD8Jv6kXtM6zBIDLBtghO3uPCoIO
switch(config-ta-cert)# 9LgnJ25VMo8qe00h10J55ZkKu7DYEB1aCmAvhOzhzsh3efP2Ee49K83iGyymuX
switch(config-ta-cert)# i5vM4iulcA5y2fo5sQZoQezFkKMjyZ/u8ffqS3w5BdrFbIyD0ZungFCFN6NTe6
switch(config-ta-cert)# 67W4o+sLC5i1ZXKO6CC4MEcD3c7qrrcp6W9/0ub3oJsbGDPtRNmCG/EC98oFxJ
switch(config-ta-cert)# 6OLAYduce4/iEm7yVMN901bG2wMJMDRNSySwk+8EC/oHguAGHwQhiq7d+cU0mB
switch(config-ta-cert)# LdGpLwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXrW/nxQmAN/fozq0mgUuqtX
switch(config-ta-cert)# yS2JaP2xg2xqG/Gn3NYn1F52iqdpbxaACOnbF3y1FFpw3zEPVodGDcOg4QLdvZ
switch(config-ta-cert)# BoSMPULi+DlDeT/3xzzrA2LiiF4MrXhOMdEzpTIxXYdFOmoOAsFeiJ+Eo2/41D
switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2MDL8JkpxmTOVJVyTO
switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5E8DH73nW/moehBKcE4O1zy
switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYoCD/TMsAW0nG7yYHWkEOQu9stg
switch(config-ta-cert)# -----END CERTIFICATE-----
switch(config-ta-cert)#
The certificate you are importing has the following attributes:
Issuer: C=US, ST=California, L=Rocklin, O=Mys, OU=Mysite,
CN=mysite.com/emailAddress=test.ca@mysite.com
Subject: C=US, ST=California, L=Rocklin, O=Mys, OU=Mysite,
CN=8400/emailAddress=test.ca@mysite.com
Serial Number: 12183621634631568498 (0xaea41787d5945772)
Do you want to accept this certificate (y/n)? y
TA certificate accepted.
switch(config-ta-my-root-cert)#