Configuring Secure SRST for SCCP and SIP
How to Configure Secure Unified SRST
188
Cisco Unified SCCP and SIP SRST System Administrator Guide
OL-13143-04
Examples
The following example reflects one way of generating a CA:
Router(config)#
crypto pki server srstcaserver
Router(cs-server)#
database level complete
Router(cs-server)#
database url nvram
Router(cs-server)#
issuer-name CN=srstcaserver
Router(cs-server)#
grant auto
% This will cause all certificate requests to be automatically granted.
Are you sure you want to do this? [yes/no]:
y
Router(cs-server)#
no shutdown
% Once you start the server, you can no longer change some of
% the configuration.
Are you sure you want to do this? [yes/no]:
y
% Generating 1024 bit RSA keys ...[OK]
% Certificate Server enabled.
Autoenrolling and Authenticating the Secure Cisco Unified SRST Router to the CA Server
The secure Cisco Unified SRST Router needs to define a trustpoint; that is, it must obtain a device
certificate from the CA server. The procedure is called certificate enrollment. Once enrolled, the secure
Cisco Unified SRST Router can be recognized by Cisco Unified Communications Manager as a secure
SRST router.
There are three options to enroll the secure Cisco Unified SRST Router to a CA server: autoenrollment,
cut and paste, and TFTP. When the CA server is a Cisco IOS certificate server, autoenrollment can be
used. Otherwise, manual enrollment is required. Manual enrollment refers to cut and paste or TFTP.
Use the
enrollment url
command for autoenrollment and the
crypto pki authenticate
command to
authenticate the SRST router. Full instructions for the commands can be found in the
Certification
Authority Interoperability Commands
documentation. An example of autoenrollment is available in the
Certificate Enrollment Enhancements
feature. A sample configuration is provided in the
“Examples”
section on page 190
.
SUMMARY STEPS
1.
crypto pki trustpoint
name
2.
enrollment url
url
3.
revocation-check
method1
4.
exit
Step 5
grant auto
Example:
Router (cs-server)# grant auto
Allows an automatic certificate to be issued to any
requestor.
•
This command is used only during enrollment and will
be removed in the
“Disabling Automatic Certificate
Enrollment” section on page 190
.
Step 6
no shutdown
Example:
Router (cs-server)# no shutdown
Enables the Cisco IOS certificate server.
•
You should issue this command only after you have
completely configured your certificate server.
Command or Action
Purpose