Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

CA Identity Mode Commands

14-88 Configuring the VPN

XSR(config)#crypto ca identity ACMEca

XSR(ca-identity)#enrollment url http://ca_server

XSR(ca-identity)#enrollment retry period 5

enrollment url

ThiscommandsetstheUniformResourceLocator(URL)oftheCertificateAuthority(CA).Ifthe

CAcgi‐binscriptsiteisnotthedefault/cgi‐bin/pkiclient.exeattheCA,youmustalsoincludethe

non‐standardscriptsiteintheURLashttp://CA_name/script_locationwherescript_locationisthe 

fullpath

totheCAscripts.BeawarethattheURLformatmayvary.

Syntax

enrollment url url

Syntax of the “no” Form

Thiscommand’snoformdeletestheCAʹsURLvaluefromtheconfiguration:

no enrollment url url

Mode

CertificateAuthorityIdentityconfiguration:XSR(ca-identity)#

Examples

ThefollowingexampleshowstheminimumconfigurationrequiredtodeclareaCA:

XSR(config)#crypto ca identity ACMEca

XSR(ca-identity)#enrollment url http://ca_server

TheexamplebelowshowsastaticIPhostnamefortheenrollmentURL:

XSR(config)#crypto ca identity CAserver

XSR(ca-identity)#enrollment url http://ParentCA.domain.com/ certsrv/mscep/

mscep.dll

crypto ca enroll

ThiscommandenrollsacertificatefortheXSRwiththespecifiedCertificateAuthority(CA).Itis

notsavedintheXSRconfigurationfilebutinalocalencrypteddatabasenamed

cert.dat.

url

TheURLoftheCAwheretheXSRsendscertificaterequests.TheURLmaybeinthe

formofhttp://CA_namewhereCA_nameistheCAʹshostIPaddressordefinedstaticIP

hostname.

Notes: You can remove existing certificates with the no certificate command.

If an enroll request to the Entrust CA fails, be sure the CA does not contain an outstanding

PENDING enroll request from that same XSR by a previously incomplete enroll request. Because

the Entrust CA allows only one outstanding request from any single client seeking certificate

enrollment, the CA administrator must delete the pending certificate for the outstanding request at

the CA then the XSR can reissue its certificate enrollment request.

For Verisign CA compliance, you must provide the domain name that you specified when signing up

with Verisign by using the ip domain command. See

page5‐155 for command details.

previous next