Cisco ISR 4000 Family Routers Administrator Guidance
4.6.4.3
Authenticating the Certificate Authority
The TOE must authenticate the CA by acknowledging its attributes match the publicly posted
fingerprint. The TOE administrator must verify that the output of the command below matches
the fingerprint of the CA on its public site.
1. Authenticate the CA: crypto ca authenticate trustpoint-name
Device (config)#crypto ca authenticate ciscotest
Certificate has the following attributes:
Fingerprint MD5: 8DE88FE5 78FF27DF 97BA7CCA 57DC1217
Fingerprint SHA1: 271E80EC 30304CC1 624EEE32 99F43AF8 DB9D0280
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
4.6.4.4
Storing Certificates to a Local Storage Location
Certificates are stored to NVRAM by default; however, some routers do not have the required
amount of NVRAM to successfully store certificates. All Cisco platforms support NVRAM and
flash local storage. Depending on the platform, an authorized administrator may have other
supported local storage options including bootflash, slot, disk, USB flash, or USB token. During
run time, an authorized administrator can specify what active local storage device will be used to
store certificates. For more detailed information see [9].
How to Specify a Local Storage Location for Certificates -
The summary steps for storing certificates locally to the TOE are as follows:
1. Enter configure terminal mode:
2. TOE-common-criteria# configure terminal
3. Specify the local storage location for certificates: crypto pki certificate storage
location-name
Device(config)# crypto pki certificate storage flash:/certs
4. Exit:
Device(config)# exit
5. Save the changes made:
6. Device# copy system:running-config nvram:startup-config
7. Display the current setting for the PKI certificate storage location:
Device# show crypto pki certificates storage
The following is sample output from the show crypto pki certificates storage command, which
shows that the certificates are stored in the certs subdirectory of disk0:
Device# show crypto pki certificates storage
Certificates will be stored in disk0:/certs/
4.6.4.5
Configuring a Revocation Mechanism for PKI Certificate Status
Checking
Perform this task to set up the certificate revocation mechanism--CRLs or OCSP--that is used
to check the status of certificates in a PKI.
Page 37 of 66