Enterasys Security Router X-PeditionTM User Manual page 372

Interoperability Profile for the XSR
1. Begin by asking your CA administrator for your CA name and URL. The CA's URL defines its
IP address, path and default port (80). You can resolve the CA server address manually by
pinging its IP address.
2. Be sure that the XSR time setting is correct according to the UTC time zone so that it is
synchronized with the CA's time. For example:
XSR#clock timezone -7 0
3. Specify the enrollment URL, authenticate the CA and retrieve the root certificate. Check your
CA Website to ensure that the printed fingerprint matches the CA's fingerprint, which is
retrieved from the CA itself, to verify the CA is not a fake. If bona fide, accept the certificate, if
not, check to be sure the certificate is deleted and not stored in the CA database. In certain
situations you may need to specify a particular CA identity name. Consult your administrator
for more information.
XSR(config)#crypto ca identity hightest
XSR(config-ca-identity)#enrollment url http://192.168.1.33/certsrv/mscep/
mscep.dll/
XSR(config-ca-identity)#exit
XSR(config)#crypto ca authenticate PKItestca1
Certificate has the following attributes:
Fingerprint: D423E129 81904CE0 1E6D0FE0 A123A302
Do you accept this certificate? [yes/no] y
4. Display your CA certificates to verify all root and associated certificates are present. In the RA
Mode example below, Hightest is the root CA of three certificates. Non-RA Mode CAs return
one certificate only.
XSR(config)#show crypto ca certificates
CA Certificate - Hightest
State:
Version:
Serial Number:
Issuer:
Valid From:
Valid To:
Subject:
Fingerprint:
Certificate Size:
RA KeyEncipher Certificate - Hightest-rae
State:
Version:
Serial Number:
Issuer:
Valid From:
Valid To:
Subject:
Fingerprint:
Certificate Size:
RA Signature Certificate - Hightest-ras
14-50 Configuring the Virtual Private Network
CA-AUTHENTICATED
V3
6083684655030387331394927502614112809
C=US, O=sml, CN=hightest
2002 Jun 4th, 12:40:46 GMT
2004 Jun 4th, 12:48:15 GMT
C=US, O=sml, CN=hightest
D423E129 81904CE0 1E6D0FE0 A123A302
1157 bytes
CA-AUTHENTICATED
V3
458128935273366930063530
C=US, O=sml, CN=hightest
2002 Jul 24th, 20:45:14 GMT
2003 Jul 24th, 20:55:14 GMT
C=US, O=sml, sml_requestor
F1279D63 AFFC3D93 48E5F311 73A1D16F
1695 bytes