Authentication Types
Configuration Using the TFTP Method
TFTP certificate enrollment is similar to manual enrollment, except that a TFTP server supplies the CA
and router certificates. To use TFTP, follow these steps, beginning in privileged EXEC mode:
Command
Step 1
configure terminal
Step 2
crypto pki trustpoint name
Step 3
enrollment url tftp://address
Step 4
rsakeypair name 1024
Step 5
subject-name CN=name
Step 6
exit
Step 7
crypto pki authenticate name
Step 8
quit
Step 9
crypto pki enroll name
Step 10
crypto pki import name certificate
Step 11
end
Step 12
copy running-config startup-config (Optional) Saves your entries in the configuration file.
Note the following regarding the TFTP method:
•
•
•
•
If a filename is included in the URL, the router will appends extension onto the file. When you enter
the crypto pki authenticate, the router retrieves the certificate of the CA from the specified TFTP
server.
To look for the CA certificate on the TFTP server, the router appends the extension .ca to the
filename, if it is specified in the URL, or to the fully qualified domain name (FQDN). For example,
if a URL option is tftp://TFTP-server/TFTPfiles/router1, the file TFTPfiles/router1.ca is read from
the TFTP server TFTP-server. If the routers FQDN is router1.cisco.com, and URL option is
tftp://tftp.cisco.com, the file router1.cisco.com.ca is read from the TFTP server tftp.cisco.com. The
file must contain the certificate of the CA in binary format (Distinguished Encoding Rules (DER)
or base 64-encoded (Privacy Enhanced Mail (PEM)).
When a user enrolls the router using the crypto pki enroll command, the user is prompted for
information regarding the enrollment. The filename is already determined at this point, and an
extension of .req is appended to indicate that this is a certificate request. For usage keys, two
requests are generated and two certificates are expected to be granted. Thus, the extension for the
certificate requests are -sign.req and -encr.req.
After the user enters the crypto pki import command, the router attempts to fetch the granted
certificate using the same filename that was used to send the request, except that .req extension is
replaced by a .crt extension. The certificates should be base 64 encoded Personal Information
Exchange Syntax Standard (PCKS)#10 format.
Configuring Certificates Using the crypto pki CLI
Purpose
Enters global configuration mode.
Specifies the name of the trustpoint.
Specifies the URL to be used for certificate enrollment.
Specifies that a manual key with the given name will be
generated with length 1024.
Adds the subject name in the certificate. The name should be
same as the user name defined in the dot1x credentials name
command.
Returns to global configuration mode.
Enters the process of importing the certificate.
Exits the import CA certificate process.
Requests a router certificate from a CA. This step generates the
certificate request and puts it onto TFTP server. This request
should then be copied on to CA server to receive router
certificate.
Imports a router certificate.
Ends EXEC mode.
Cisco 3200 Series Wireless MIC Software Configuration Guide
11