Re-Enrolling A Router; Enabling Debugging; Performing Bulk Issuance - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 4. Requesting, Enrolling, and Managing Certificates
scep(ca-identity)# enrollment url http://server.example.com:12888/ee/scep/pkiclient.cgi
scep(ca-identity)# crl optional

4.4.4. Re-enrolling a Router

Before a router can be re-enrolled with new certificates, the existing configuration has to be removed.
1. Remove (zeroize) the existing keys.
scep(config)# crypto key zeroize rsa
% Keys to be removed are named scep.server.example.com.
Do you really want to remove these keys? [yes/no]: yes
2. Remove the CA identity.
scep(config)# no crypto ca identity CA
% Removing an identity will destroy all certificates received from
the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.
No enrollment sessions are currently active.

4.4.5. Enabling Debugging

The router provides additional debugging during SCEP operations by enabling the debug statements.
scep# debug crypto pki callbacks
Crypto PKI callbacks debugging is on
scep# debug crypto pki messages
Crypto PKI Msg debugging is on
scep# debug crypto pki transactions
Crypto PKI Trans debugging is on
scep#debug crypto verbose
verbose debug output debugging is on

4.5. Performing Bulk Issuance

There can be instances when an administrator needs to submit and generate a large number of
certificates simultaneously, such as provisioning a new lot of HSMs or servers. Certificate System
provides a bulk issuance tool (bulkissuance) which submits a file that can contain dozens, even
thousands, of certificate requests to a special agent's interface for the CA. The file is essentially
composed like an HTML POST that can be parsed by the CA.
NOTE
The bulk issuance tool helps to process certificate requests. It does not generate
certificate requests, so all key generate and certificate request generation must be done
before performing a bulk issuance.
90