Configuring CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Creating a Trust Point CA Association
To create a trust point CA association, follow these steps:
switch(config)# crypto ca trustpoint admin-ca
switch(config)# no crypto ca trustpoint
switch(config-trustpoint)# enroll terminal
switch(config-trustpoint)# rsakeypair SwitchA
switch(config-trustpoint)# no rsakeypair
switch# copy running-config startup-config
Authenticating the CA
The configuration process of trusting a CA is complete only when the CA is authenticated to the MDS
switch. The switch must authenticate the CA. It does this by obtaining the self-signed certificate of the
CA in PEM format, which contains the public key of the CA. Because the certificate of the CA is
self-signed (the CA signs its own certificate) the public key of the CA should be manually authenticated
by contacting the CA administrator to compare the fingerprint of the CA certificate.
If the CA being authenticated is not a self-signed CA (that is, it is a subordinate CA to another CA, which
itself may be a subordinate to yet another CA, and so on, finally ending in a self-signed CA), then the
full list of the CA certificates of all the CAs in the certification chain needs to be input during the CA
authentication step. This is called the CA certificate chain of the CA being authenticated. The maximum
number of certificates in a CA certificate chain is 10.
Cisco MDS 9000 Family CLI Configuration Guide
Configuring Certificate Authorities and Digital Certificates
Declares a trust point CA that the switch
should trust and enters trust point
The maximum number of trust points
you can declare on a switch is 16.
Removes the trust point CA.
Specifies manual cut-and-paste certificate
Manual cut-and-paste certificate
enrollment is the only method
supported for enrollment.
Specifies the label of the RSA key-pair to be
associated to this trust point for the purpose
of enrollment. It was generated earlier in the
"Generating an RSA Key-Pair" section on
34-6. Only one RSA key-pair can be
specified per CA.
Disassociates the RSA key-pair from the trust
Exits trust point configuration submode.
Copies the running configuration to the
startup configuration to ensure the
configuration is persistent across reboots.
OL-16184-01, Cisco MDS SAN-OS Release 3.x