Registration Authorities - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
CAs can also revoke certificates for devices that will no longer participate in IPsec. Revoked certificates are
not recognized as valid by other IPsec devices. Revoked certificates are listed in a certificate revocation list
(CRL), which each peer may check before accepting a certificate from another peer.
Registration Authorities
Some CAs have a registration authority (RA) as part of their implementation. An RA is essentially a server
that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
Some of the configuration tasks described in this document differ slightly, depending on whether your CA
supports an RA.
How to Configure Certification Authority
Managing NVRAM Memory Usage
Certificates and certificate revocation lists (CRLs) are used by your device when a CA is used. Normally
certain certificates and all CRLs are stored locally in the NVRAM of the device, and each certificate and CRL
uses a moderate amount of memory.
The following certificates are normally stored at your device:
• Certificate of your device
• Certificate of the CA
• Root certificates obtained from CA servers (all root certificates are saved in RAM after the device has
• Two registration authority (RA) certificates (only if the CA supports an RA)
CRLs are normally stored at your device according to the following conditions:
• If your CA does not support an RA, only one CRL gets stored in the device.
• If your CA supports an RA, multiple CRLs can be stored in the device.
In some cases, storing these certificates and CRLs locally will not present any difficulty. In other cases,
memory might become a problem—particularly if the CA supports an RA and a large number of CRLs have
to be stored on the device. If the NVRAM is too small to store root certificates, only the fingerprint of the
root certificate is saved.
To save NVRAM space, specify that certificates and CRLs should not be stored locally, but should be retrieved
from the CA when needed. This alternative will save NVRAM space but could result in a slight performance
impact. To specify that certificates and CRLs should not be stored locally on your device, but should be
retrieved when required, enable query mode.
If you do not enable query mode now, you can do it later even if certificates and CRLs have are already stored
on the device. In this case, when you enable query mode, the stored certificates and CRLs are deleted from
the device after you save the configuration. (If you copy the configuration to a TFTP site prior to enabling
query mode, you can save any stored certificates and CRLs at the TFTP site.)
Before disabling query mode, perform the copy system:running-config nvram:startup-config command
to save all current certificates and CRLs to NVRAM. Otherwise they could be lost during a reboot.
been initialized)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
How to Configure Certification Authority
1145
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
