Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures page 40
Aggregation services router
Hide thumbs
Also See for ASR 1000 Series:
- Software configuration manual (602 pages) ,
- Configuration manual (442 pages) ,
- Replacing (120 pages)
Table of Contents
Advertisement
Use the stop keyword to specify that the certificate is already trusted. This is the
default setting.
Use the continue keyword to specify that the that the subordinate CA certificate
associated with the trustpoint must be validated.
The parent-trustpoint argument specifies the name of the parent trustpoint the
certificate must be validated against.
Note: A trustpoint associated with the root CA cannot be configured to be validated to
the next level. The chain-validation command is configured with the continue keyword
for the trust point associated with the root CA, an error message will be displayed and
the chain validation will revert to the default chain-validation command setting.
4. Exit:
TOE-common-criteria(ca-trustpoint)# exit
4.6.4.8
Certificate Validation
By default the TOE will validate the certificate of the IPsec peer including a Basic Constraints
extension. No configuration is required by the administrator. Optionally as a way to test a Basic
Constraints extension, the administrator can add subject name restrictions to the CA root
trustpoint. Refer to How to Configure Certificate Enrollment for a PKI" in [22]. A portion of an
example TOE configuration follows below.
TOE-common-criteria (config)# crypto pki certificate map <certificate map name> 1
subject-name co example
TOE-common-criteria (config)# crypto pki trustpoint CAroot
TOE-common-criteria (ca-trustpoint)# enrollment terminal
TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name>
TOE-common-criteria (ca-trustpoint)#end
TOE-common-criteria (config)# crypto pki trustpoint CA sub
TOE-common-criteria (ca-trustpoint)# enrollment terminal
TOE-common-criteria (ca-trustpoint)# subject-name CN=example.organization.com,OU=Spiral
Dept,O=Example
TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name>
TOE-common-criteria (ca-trustpoint)#end
The administrator should find an error message stating that certificate chain validation has failed
because a certificate in the chain was not a valid CA certificate.
4.6.4.9
Setting X.509 for use with IKE
Once X.509v3 keys are installed on the TOE, they can be set for use with IKEv1 with the
commands:
TOE-common-criteria (config)#crypto isakmp policy 1
TOE-common-criteria (config-isakmp)# authentication rsa-sig
Page 40 of 72
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco ASR 1000 Series
Related Products for Cisco ASR 1000 Series
- Cisco ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router
- Cisco ASR1000-RP2 - ASR 1000 Series Route Processor 2 Router
- Cisco ASR-1000-SIP10
- Cisco ASR1002-5G-SEC/K9 - ASR 1002 VPN+FW Bundle Router
- Cisco ASR1002-5G-SHA/K9 - ASR 1002 Sec+HA Bundle Router
- Cisco ASR1004-10G-SHA/K9 - ASR 1004 Sec+HA Bundle Router
- Cisco ASR1004-20G-SEC/K9 - ASR 1004 VPN+FW Bundle Router
- Cisco ASR1006-10G-SEC/K9 - ASR 1006 VPN+FW Bundle Router
- Cisco ASR1006-10G-VPN/K9 - ASR 1006 VPN Bundle Router
- Cisco ASR1006-10G-SHA/K9 - ASR 1006 Sec+HA Bundle Router
- Cisco ASR1006-10G-HA/K9 - ASR 1006 HA Bundle Router
- Cisco ASR1004-10G/K9 - ASR 1004 Router
- Cisco ASR1006 - ASR 1006 Modular Expansion Base
- Cisco ASR 1002-F
- Cisco ASR 1002-RP1
- Cisco ASR 1002-RP2