Here’s the topology, I’m going to use to configure a Cisco IOS Certificate Server:
1. Set the clock on all the routers using certificates.
Every certificate has a field called “validity” that specifies the date & time, before and after which, the certificate is considered to be invalid. Hence it is necessary to have the clock set on the devices that use certificate services.
You could either do this by configuring NTP on the routers or by setting the clock using the clock set command from exec mode.
4. Create a trust-point on the Server and specify the rsa keys to be used
Server(config)#crypto pki trustpoint CA
5. Now create a certificate server on the Server using the same name used while creating the trust-point and configure the parameters
Server(config)#crypto pki server CA
Server(cs-server)#issuer-name CN=cisco.lab.local C=IN
Server(cs-server)#database url nvram:
Server(cs-server)#database level complete
Server(cs-server)#lifetime certificate 365
Server(cs-server)#lifetime ca-certificate 365
Server(cs-server)#no grant auto
Server(cs-server)#lifetime crl 24
Once you enter the no shutdown command, you'll be prompted for a password, choose a password (e.g. cisco123) and enter it twice. This should turn on the Certificate Services as seen in the screenshot below.
Once you authenticate the CA, you’ll be presented with the MD5 & SHA1 fingerprints of the certificate. Verify and accept the certificate – as shown in the screenshot below.
9. Enroll the Client to the CA
Client(config)#crypto pki enroll CA
Once you enter the above command, enter the same password used to enable the certificate authority (cisco123 in this example) as shown in the screenshot below.
Before requesting the certificate from the server, you could optionally specify to include the subject name and the serial number of the router in the certificate.
10. Grant the certificate request on the Server
Since we issued the “no grant auto” command on the CA, each certificate request has to be granted manually. Check the pending certificate requests on the CA using the crypto pki server CA info requests command
Enter the crypto pki server CA grany all command to grant all the pending requests.
On the Client, use the show crypto pki certificates command to view the CA’s certificate and the certificate received from the CA.