Command:

crypto ca identity

Mode:

Router(config)#


Syntax:

crypto ca identity name
nocrypto ca identity name


Syntax Description:

name Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.) The CA might require a particular name, such as its domain name.

Command Description:

To declare the certification authority that your router should use, use the crypto ca identity command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command.


Example:

The following example declares a CA and identifies characteristics of the CA. In this example, the name "myca"; is created for the CA, which is located at http://ca_server

The CA does not use an RA or LDAP, and the CA's scripts are stored in the default location. This is the minimum possible configuration required to declare a CA.

Router(config)#crypto ca identity myca
enrollment url http://ca_server

The following example declares a CA when the CA uses an RA. The CA's scripts are stored in the default location, and the CA uses the SCEP instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA.

Router(config)#crypto ca identity myca_with_ra
enrollment url http://ca_server
enrollment mode ra
query url ldap://serverx

The following example declares a CA that uses an RA and a nonstandard cgi-bin script location. This example also specifies a nonstandard retry period and retry count, and permits the router to accept certificates when CRLs are not obtainable.

Router(config)#crypto ca identity myca_with_ra
enrollment url http://example_ca/cgi-bin/somewhere/scripts.exe
enrollment mode ra
query url ldap://serverx
enrollment retry-period 20
enrollment retry-count 100
crl optional

In the previous example, if the router does not receive a certificate back from the CA within 20 minutes of sending a certificate request, the router will resend the certificate request. The router will keep sending a certificate request every 20 minutes until a certificate is received or until 100 requests have been sent.

If the CA cgi-bin script location is not /cgi-bin/pkiclient.exe at the CA (the default CA cgi-bin script location) you need to also include the nonstandard script location in the URL, in the form of http://CA_name/script_location where script_location is the full path to the CA scripts.


Misconceptions:

None.


Related commands:

crypto ca enroll

� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)