Command:

crypto ca enroll

Mode:

Router(config)#


Syntax:

crypto ca enroll name

no crypto ca enroll name


Syntax Description:

name Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.

Command Description:

To obtain your router's certificate(s) from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.

If your router reboots after you issued the crypto ca enroll command but before you received the certificate(s), you must reissue the command and notify the CA administrator.


Example:

In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.

There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation:

myrouter(config)#crypto ca enroll myca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
  password to the CA Administrator in order to revoke your certificate.
  For security reasons your password will not be saved in the configuration.
  Please make a note of it.
Password: <mypassword>
Re-enter password: <mypassword>
% The subject name in the certificate will be: myrouter.example.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 03433678
% Include an IP address in the subject name [yes/no]? yes
Interface: ethernet0/0
Request certificate from CA [yes/no]? yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
myrouter(config)#

Some time later, the router receives the certificate from the CA and displays the following confirmation message:

myrouter(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210
%CRYPTO-6-CERTRET: Certificate received from Certificate Authority
myrouter(config)#

If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.


If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:

%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate Authority

The subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)

Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:

%CRYPTO-6-CERTRET: Certificate received from Certificate Authority


Misconceptions:

None.


Related commands:

crypto ca authenticate
crypto ca identity

� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)