- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

351

352

353

354

355

356

357

358

359

360

VPN Configuration Overview

14-30 Configuring the Virtual Private Network

XSR(config)#ip domain acme.com

8. Enroll in an end-entity certificate from a CA for which you have previously authenticated;

e.g., ldapca.

The CLI script will prompt you to enter and re-enter a challenge password you create or is

given to you by your CA administrator.

Remember that if you create a password, save it so it can be used later in case you need to

revoke the certificate. Respond yes to all questions. and jot down the certificate serial number

for comparison purposes.

XSR(config)#crypto ca enroll ldapca

% Start certificate enrollment

Create a challenge password. You will need to verbally

provide this password to the CA Administrator in order to

revoke your certificate. For security reasons your password

will not be saved in the configuration.

Please make a note of it.

Password:****

Re-enter password:****

Request certificate from CA (y/n) ? y

You may experience a short delay while RSA keys are generated.

Once key generation is complete, the certificate request

will be sent to the Certificate Authority.

Use 'show crypto ca certificate' to show the fingerprint.

XSR(config)#<186>Aug 29 7:11:1 192.168.1.33 PKI: A certificate was successfully

received from the CA.

<186>Nov 13 21:03:20 63.81.64.58 AAA: Current device Time: 2003 Nov 13th, 21:03:20 GMT

<186>Nov 13 21:03:20 63.81.64.58 AAA: Certificate valid from: 2003 Nov 13th, 21:57:02 GMT

<186>Nov 13 21:03:20 63.81.64.58 AAA: Certificate valid to: 2004 Aug 5th, 16:16:08 GMT

9. Once the certificate is properly enrolled, issue the show ca certificates command to

display the end-entity and other certificates. The first certificate shown, identified as being in

ENTITY-ACTIVE state, is the end-entity certificate. Compare the Subject ID to the serial

number earlier displayed by the enrollment script to verify its authenticity.

XSR#show crypto ca certificates

Certificate - issued by ldapca

State: ENTITY-ACTIVE

Version: V3

Serial Number: 75289387826578118934757

Issuer: C=US, O=sml, CN=ldapca

Valid From: 2003 Nov 13th, 22:16:00 GMT

Valid To: 2004 Aug 5th, 16:16:08 GMT

Subject: unstructuredName=corp

Fingerprint: ABF37B67 7200CCDA 604CB10C D5AC7F49

Certificate Size: 1590 bytes

CA Certificate - ldapca

State: CA-AUTHENTICATED

Version: V3

Serial Number: 6083684655030387331394927502614112809