Mscep.dll | Next

Enrolling for Certificates from a Cisco Router

To enroll for certificates from a Cisco router

Remove all current certificates stored on the router and configure the router for new certificate enrollment

1. At the routername> prompt, type EN

2. Type in your password. You are now in "Enable Mode" on the router.

3. At the routername# prompt, type config t.

4. At the routername(config)# prompt, type no crypt ca identity ExistingCAIdentityName.

5. Type y to destroy all certificates.

6. At the routername(config)# prompt, type crypt ca identity NewCAIdentityName.

7. At the routername(ca-identity)# prompt, type enrollment mode ra.




Note

Do not use the query sub-command at routername(ca-identity)# prompt to configure the router.

8. At the routername(ca-identity)# prompt, type enrollment url http://URLHostName/certsrv/mscep/mscep.dll where URLHostName is the name of the server which hosts the CA's enrollment Web pages (also referred to as Certificate Services Web pages).

9. If you do not want the router to check the CA's certificate revocation list (CRL), at the routername(ca-identity)# prompt, type crl optional.

10. At the routername(ca-identity)# prompt, type exit.

11. At the routername(config)# prompt, type exit.

12. At the routername# prompt, type write memory.

13. To confirm that your changes have taken place, at the routername# prompt, type write terminal. The router will display its configuration information. No certificates will appear in the displayed information and you will see the enrollment URL you entered.

Request the CA's Certificate

1. At the routername# prompt, type config t.

2. At the routername(config)# prompt, type crypt ca authenticate NewCAIdentityName.

3. Attributes of CA certificate will be displayed, including the fingerprint of the CA certificate. The "fingerprint" is a series of alphanumeric characters unique to that CA certificate.

   You can confirm that the fingerprint of the CA certificate being presented to the router matches the fingerprint of the authentic CA certificate by connecting to the URL: http://URLHostName/certsrv/mscep/mscep.dll in Internet Explorer. Verify that the fingerprint displayed at this URL matches the fingerprint of the certificate being presented to the router.

   Type Y to accept the CA certificate.

4. To confirm that you received the CA certificate, at the routername(config)# prompt, type exit.

5. At the routername# prompt, type show crypt ca certificate. The CA certificate will be displayed on the screen.

Generate a Public and Private Key Pair

1. At the routername# prompt, type config t.

2. At the routername(config)# prompt, type crypt key gen rsa.

3. When you are asked if you want to replace your current keys, type Y.

4. Enter the number of bits in the modulus (key size). The default is 512.

Enroll for Certificates.

1. At the routername(config)# prompt, type crypt ca enroll NewCAIdentityName.

2. You are asked to input a password.

   Using Microsoft® Internet Explorer, retrieve a valid challenge password by connecting to the URL: http://URLHostName/certsrv/mscep/mscep.dll.

   Some notes about this password:

   • Every time you connect to this URL, a different challenge password is displayed. Each challenge password is valid for 60 minutes and can only be used once.

   • The password displayed is both the challenge password for certificate enrollment and the password for certificate revocation. Remember this password so that in case you need to revoke the certificate, you can provide it to the CA administrator.

   • If you connect to the URL above and do not see a challenge password displayed, then the CEP Add-on was not setup to require a challenge password. In this case, you can make up a password of your own choosing. This password will be used for certificate revocation only.

   • If you are requesting a certificate from an enterprise CA, you must have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template in order to access the URL above. By default, a member of the Enterprise Administrators group or the root Domain Administrators group will have the right to enroll for certificates based on the IPSecIntermediateOffline certificate template.

     See the procedure entitled Set security permissions and delegate control of certificate templates in Windows 2000 Server Help for the procedure to change enrollment permissions for certificate templates.

   • By default anyone can view the Web page at the URL above if it is on a stand-alone CA.

3. Type Y to include the router serial number in the subject name.

4. Type Y to include the IP address in the subject name.

5. Type Y to request the certificate from the CA. The certificate request fingerprint will be displayed and the certificate will be received from the CA.

6. Type exit to leave config mode.

7. At the routername# prompt, type show crypt ca certificate to verify that you have certificate(s) for the router. The certificate(s) issued to the router, as well as the CA certificate, will be displayed on the screen.

Notes

• You should use Internet Explorer on a Windows 2000-based computer when performing procedural steps that require you to connect to the URL: http://URLHostName/certsrv/mscep/mscep.dll.

• If Internet Explorer is configured to use a proxy server, make sure that the Bypass proxy server for local addresses check box is selected in the Tools, Internet Options, Connections, LAN Settings dialog box in Internet Explorer.

• The router cannot process certificates whose issuer or subject has non-alphanumeric characters (for example: *, :, ;, ', ")

• Some helpful procedures in Windows 2000 Server online documentation:

  • To issue or deny a pending certificate request on a stand-alone CA, see Review pending certificate requests in Windows 2000 Server Help.

  • To revoke a certificate and publish a CRL, see Revoke an issued certificate and Manually publish the certificate revocation list in Windows Server help.

  • If you are issuing certificates to routers from a CA, you may want to view all issued certificates with the unstructured Name, unstructured Address, and serialNumber columns. To add these columns to the MMC view, see Customize the display of columns in Certification Authority in Windows Server help for general instructions to add columns to the Certification Authority snap-in display.