Crypto Ca Authenticate - Cisco MDS 9000 series Command Reference Manual

crypto ca authenticate

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
crypto ca authenticate
To associate and authenticate a certificate of the certificate authority (CA) and configure its CA
certificate (or certificate chain), use the crypto ca authenticate command in configuration mode. The
CA certificate or certificate chain is assumed to already be available in Privacy Enhanced Mail (PEM)
(base-64) encoded format.
Syntax Description trustpoint-label
Defaults
None.
Command Modes Configuration mode.
Command History Release
3.0(1)
Usage Guidelines
This command authenticates the CA to the switch by obtaining the self-signed certificate of the CA that
contains the public key of the CA. Because the CA signs its own certificate, you should manually
authenticate the public key of the CA by contacting the CA administrator when you execute this
command.
This command is required when you initially configure certificate authority support for the switch.
Before you attempt CA authentication, first create the trust point using the crypto ca trustpoint
command. The CA certificate fingerprint (the MD5 or SHA hash of the certificate) is generally published
by the CA. When authenticating the CA, the certificate fingerprint is displayed. The administrator needs
to compare it with the one published by the CA and accept the CA certificate only if it matches.
If the CA being authenticated is a subordinate CA (meaning that is is not self-signed), then it is certified
by another CA which in turn my be certified by yet another CA and so on until there is a self-signed CA.
In this case, the subordinate CA in question is said to have a CA certificate chain certifying it. The entire
chain must be input during CA authentication. The maximum length that the CA certificate chain
supports is ten.
The trust point CA is the certificate authority configured on the switch as the trusted CA. Any peer
certificate obtained will be accepted if it is signed by a locally trusted CA or its subordinates.
Note The trust point configuration (created by the crypto ca trustpoint command) is persistent only if saved
explicitly using the copy running-config startup-config command. The certificates and CRL associated
to a trust point are automatically made persistent if the trust point in question was already saved in the
startup configuration. Conversely, if the trust point was not saved in the startup configuration, the
certificates and CRL associated to it are not made persistent automatically because they do not exist
without the corresponding trust point after the switch reboots.
Cisco MDS 9000 Family Command Reference
4-106
crypto ca authenticate trustpoint-label
Modification
This command was introduced.
Specifies the name of the trust point. The maximum size is 64
characters.
Chapter 4 C Commands
OL-8413-07, Cisco MDS SAN-OS Release 3.x