Installing a certificate of a root CA

Prerequisites

  • A certificate of a root CA (that is used as the signer).
  • Revocation checking URLs for the CA (optional).

Procedure

  1. Create a TA profile with the commandcrypto pki ta-profile然后切换到助教创建概要文件控制ext.

    2. Step 2 is optional and suggested only for advanced users.

  2. Optionally enable certificate revocation checking with the commandrevocation-check ocsp. Most certificates contain revocation checking URLs for OCSP. If you want to override these URLs, configure custom revocation checking URLs with the commandocsp url.
  3. Import the certificate of the root CA with the commandta-certificate.

Example

This example installs the certificateroot-certand defines custom revocation checking URLs:

switch(config)#crypto pki ta-profile root-certswitch(config-ta-root-cert)#revocation-check ocspswitch(config-ta-root-cert)#ocsp url primary http://ocsp-server.site.comswitch(config-ta-root-cert)#ocsp url secondary http://ocsp-server2.site.comswitch(config-ta-root-cert)#ta-certificate import terminalPaste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- switch(config-ta-cert)# MIIDuTCCAqECCQCuoxeJ2ZNYcjANBgkqhkiG9w0BAQsFADCBqzELMAEBh switch(config-ta-cert)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY2tsDAKBg switch(config-ta-cert)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDVQocG5zdz ... switch(config-ta-cert)# x3WFf3dFZ8o9sd5LVAHneH/ztb9MP34z+le1V346r12L2kpxmTOVJVyTO switch(config-ta-cert)# BIzD/ST/HaWI+0S+S80rm93PSscEbb9GWk7vshh5EnW/moehBKcE4O1zy switch(config-ta-cert)# 3LvMLZcssSe5J2Ca2XIhfDme8UaNZ7syGYMsAW0nG7yYHWkEOQu9s switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Issuer: C=US, ST=CA, L=Rocklin, O=Company, OU=Site, CN=site.com/emailAddress=test.ca@site.com Subject: C=US, ST=CA, L=Rocklin, O=Company, OU=Site, CN=8400/emailAddress=test.ca@site.com Serial Number: 12121221634631568498 (0xaea51217d5945772) TA certificate import is allowed only once for a TA profile Do you want to accept this certificate (y/n)?yTA certificate accepted. switch(config-ta-root-cert)#