Working With Subordinate Cas - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

scep# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 0C
Key Usage: General Purpose
Issuer:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Subject Name Contains:
Name: scep.server.example.com
IP Address: 10.14.1.94
Serial Number: 57DE391C
Validity Date:
start date: 21:42:40 UTC Jan 12 2007
end date: 21:49:50 UTC Dec 31 2008
Associated Identity: CA
CA Certificate
Status: Available
Certificate Serial Number: 01
Key Usage: Signature
Issuer:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Subject:
CN = Certificate Authority
O = Sfbay Red hat Domain 20070111d12
Validity Date:
start date: 21:49:50 UTC Jan 11 2007
end date: 21:49:50 UTC Dec 31 2008
Associated Identity: CA

4.4.3. Working with Subordinate CAs

Before the router can authenticate to a CA, every CA certificate in the CA's certificate chain must be
imported into the router, starting with the root. For example, this imports two CA certificates in the
chain into the router:
scep(config)# crypto ca trusted-root1
scep(ca-root)# root CEP http://server.example.com:12888/ee/scep/pkiclient.cgi
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 1
scep(config)# crypto ca trusted-root0
scep(ca-root)# root CEP http://server.example.com:12888/ee/scep/pkiclient.cgi
scep(ca-root)# crl optional
scep(ca-root)# exit
scep(config)# cry ca authenticate 0
If the CA certificates do not have the CRL distribution point extension set, turn off the CRL requirement
by setting it to optional:
scep(ca-root)# crl optional
After that, set up the CA identity as described in
Router". For example, for enrolling through the RA:
scep(config)# crypto ca identity CA
Section 4.4.2, "Generating the SCEP Certificate for a
Working with Subordinate CAs
89