Manualshelf

User's Manual

ManualsBrandsCisco Systems ManualsSwitchCisco Systems 6500
21222324252627282930
2-30
Catalyst 6500 Series Switch WebVPN Module Command Reference—Release 1.1
OL-7310-01
Chapter 2 Commands for the Catalyst 6500 Series Switch WebVPN Module
crypto pki trustpoint
You should declare one trustpoint to be used by the module for each certificate.
The trustpoint-label value should match the key-label value of the keys; however, this is not a
requirement.
When you specify the IP address of the WebVPN gateway that will use this certificate, some web
browsers compare the IP address in the SSL server certificate with the IP address that might appear in
the URL. If the IP addresses do not match, the browser may display a dialog box and ask the client to
accept or reject this certificate.
When specifying the subject-name line value, use these guidelines:
The subject-name command uses the Lightweight Directory Access Protocol (LDAP) format.
Arguments specified in the subject name must be enclosed in quotation marks if they contain a
comma. For example, O=“Cisco, Inc.
Some browsers compare the common name (CN) field of the subject name in the SSL server
certificate with the hostname that might appear in the URL. If the names do not match, the browser
may display a dialog box and ask the client to accept or reject the certificate. Also, some browsers
will reject the SSL session setup and close the session if the CN field is not defined in the certificate.
Examples This example shows how to declare the trustpoint PROXY1 and verify connectivity:
webvpn(config)# crypto pki trustpoint PROXY1
webvpn(ca-trustpoint)# rsakeypair PROXY1
webvpn(ca-trustpoint)# enrollment url http://exampleCA.cisco.com
webvpn(ca-trustpoint)# ip-address 10.0.0.1
webvpn(ca-trustpoint)# password password
webvpn(ca-trustpoint)# serial-number
webvpn(ca-trustpoint)# subject-name C=US; ST=California; L=San Jose; O=Cisco; OU=Lab;
CN=host1.cisco.com
webvpn(ca-trustpoint)# end
webvpn# ping example.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
webvpn#
subject-name line (Optional) Configures the host name of the
WebVPN gateway.
usage {ike | ssl-client | ssl-server} (Optional) Specifies the intended use for the
certificate.
vrf vrf Name of the VPN routing and forwarding instance
(VRF) to use for enrollment and obtaining CRLs.
Table 2-1 Certificate-Authority Trustpoint Submode Commands (continued)
Command Purpose and Guidelines Defaults