Creating A Trust Point Ca Association; Authenticating The Ca - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Configuring CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Creating a Trust Point CA Association

To create a trust point CA association, follow these steps:
Command
Step 1
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)#
switch(config)# no crypto ca trustpoint
admin-ca
Step 2
switch(config-trustpoint)# enroll terminal
Step 3
switch(config-trustpoint)# rsakeypair SwitchA
switch(config-trustpoint)# no rsakeypair
SwitchA
Step 4
switch(config-trustpoint)# end
switch#
Step 5
switch# copy running-config startup-config

Authenticating the CA

The configuration process of trusting a CA is complete only when the CA is authenticated to the MDS
switch. The switch must authenticate the CA. It does this by obtaining the self-signed certificate of the
CA in PEM format, which contains the public key of the CA. Because the certificate of the CA is
self-signed (the CA signs its own certificate) the public key of the CA should be manually authenticated
by contacting the CA administrator to compare the fingerprint of the CA certificate.
If the CA being authenticated is not a self-signed CA (that is, it is a subordinate CA to another CA, which
Note
itself may be a subordinate to yet another CA, and so on, finally ending in a self-signed CA), then the
full list of the CA certificates of all the CAs in the certification chain needs to be input during the CA
authentication step. This is called the CA certificate chain of the CA being authenticated. The maximum
number of certificates in a CA certificate chain is 10.
Cisco MDS 9000 Family CLI Configuration Guide
34-8
Chapter 34 Configuring Certificate Authorities and Digital Certificates
Purpose
Declares a trust point CA that the switch
should trust and enters trust point
configuration submode.
The maximum number of trust points
Note
you can declare on a switch is 16.
Removes the trust point CA.
Specifies manual cut-and-paste certificate
enrollment (default).
Note Manual cut-and-paste certificate
enrollment is the only method
supported for enrollment.
Specifies the label of the RSA key-pair to be
associated to this trust point for the purpose
of enrollment. It was generated earlier in the
"Generating an RSA Key-Pair" section on
page 34-6. Only one RSA key-pair can be
specified per CA.
Disassociates the RSA key-pair from the trust
point (default).
Exits trust point configuration submode.
Copies the running configuration to the
startup configuration to ensure the
configuration is persistent across reboots.
OL-16184-01, Cisco MDS SAN-OS Release 3.x