% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
ISR_RA(config)# exit
•
Configure a PKI trustpoint and PKI server to enroll to the CA server.
ISR_RA# configure terminal
ISR_RA(config)# crypto pki trustpoint MSCA
ISR_RA(ca-trustpoint)# enrollment mode ra
ISR_RA(ca-trustpoint)# enrollment url http://10.81.116.249/certsrv/mscep/mscep.dll
ISR_RA(ca-trustpoint)# serial-number
ISR_RA(ca-trustpoint)# fingerprint 81512B4316429092925C6891701B374EBD254447
ISR_RA(ca-trustpoint)# revocation-check none
ISR_RA(ca-trustpoint)# rsakeypair MSCA_Key 2048
ISR_RA(ca-trustpoint)# exit
ISR_RA(config)# crypto pki server MSCA
ISR_RA(cs-server)# grant auto trustpointMIC_trustpoint
ISR_RA(cs-server)# hash sha1
ISR_RA(cs-server)# mode ra transparent
ISR_RA(cs-server)# no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 22 seconds)
Certificate has the following attributes:
Fingerprint MD5: CDE40276 04A28DA8 BDE5DF48 0BC1A8F7
Fingerprint SHA1: 81512B43 16429092 925C6891 701B374 EBD254447
Trustpoint Fingerprint: AE5CDEF2 A633DEF4 1D5A5104 7D6A8BD7 E08B576C
Certificate validated - fingerprints matched.
Trustpoint CA certificate accepted.%
% Start certificate enrollment ...
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: ISR_RA
% The serial number in the certificate will be: <REMOVED>
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose MSCA' command will show the fingerprint.
% Enrollment in progress...
ISR_RA(cs-server)#% Exporting Certificate Server signing certificate and keys...
Feb 17 15:21:42: CRYPTO_PKI: Certificate Request Fingerprint MD5: CDE40276 04A28DA8 BDE5DF48
0BC1A8F7
Feb 17 15:21:42: CRYPTO_PKI: Certificate Request Fingerprint SHA1: AE5CDEF2 A633DEF4 1D5A5104
7D6A8BD7 E08B576C
Feb 17 15:21:43: %PKI-6-CERTRET: Certificate received from Certificate Authority
Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide
184