Installing a certificate of a root CA
Prerequisites
- A certificate of a root CA (that is used as the signer).
Revocation checking URLs for the CA (optional).
Procedure
-
Create a TA profile with the command
crypto pki ta-profile
which then switches to the created TA profile context. -
NOTE:Optionally enable certificate revocation checking with the command
This step is optional and suggested only for advanced users.
revocation-check ocsp
. Most certificates contain revocation checking URLs for OCSP. If you want to override these URLs, configure custom revocation checking URLs with the commandocsp url
. -
Import the certificate of the root CA with the command
ta-certificate
.
Example
This example installs the certificate root-cert and defines custom revocation checking URLs:
switch(config)# crypto pki ta-profile root-cert switch(config-ta-root-cert)# revocation-check ocsp switch(config-ta-root-cert)# ocsp url primary http://ocsp-server.site.com switch(config-ta-root-cert)# ocsp url secondary http://ocsp-server2.site.com switch(config-ta-root-cert)# ta-certificate import terminal Paste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBqzELMAEBh switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY2tsDAKBg switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDVQocG5zdz ... switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2kpxmTOVJVyTO switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5EnW/moehBKcE4O1zy switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYMsAW0nG7yYHWkEOQu9s switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Issuer: C=US, ST=CA, L=Rocklin, O=Company, OU=Site, CN=site.com/emailAddress=test.ca@site.com Subject: C=US, ST=CA, L=Rocklin, O=Company, OU=Site, CN=8400/emailAddress=test.ca@site.com Serial Number: 12121221634631568498 (0xaea51217d5945772) TA certificate import is allowed only once for a TA profile Do you want to accept this certificate (y/n)? y TA certificate accepted. switch(config-ta-root-cert)#