Configuring Secure SRST for SCCP and SIP
How to Configure Secure Unified SRST
190
Cisco Unified SCCP and SIP SRST System Administrator Guide
OL-13143-04
Examples
The following example autoenrolls and authenticates the Cisco Unified SRST router:
Router(config)#
crypto pki trustpoint srstca
Router(ca-trustpoint)#
enrollment url http://10.1.1.22
Router(ca-trustpoint)#
revocation-check none
Router(ca-trustpoint)#
exit
Router(config)#
crypto pki authenticate srstca
Certificate has the following attributes:
Fingerprint MD5: 4C894B7D 71DBA53F 50C65FD7 75DDBFCA
Fingerprint SHA1: 5C3B6B9E EFA40927 9DF6A826 58DA618A BF39F291
% Do you accept this certificate? [yes/no]:
y
Trustpoint CA certificate accepted.
Router(config)#
crypto pki enroll srstca
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: router.cisco.com
% The subject name in the certificate will be: router.cisco.com
% Include the router serial number in the subject name? [yes/no]:
y
% The serial number in the certificate will be: D0B9E79C
% Include an IP address in the subject name? [no]:
n
Request certificate from CA? [yes/no]:
y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto pki certificate' command will also show the fingerprint.
Sep 29 00:41:55.427: CRYPTO_PKI: Certificate Request Fingerprint MD5: D154FB75
2524A24D 3D1F5C2B 46A7B9E4
Sep 29 00:41:55.427: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 0573FBB2
98CD1AD0 F37D591A C595252D A17523C1
Sep 29 00:41:57.339: %PKI-6-CERTRET: Certificate received from Certificate Authority
Disabling Automatic Certificate Enrollment
The command
grant auto
allows certificates to be issued and was activated in the optional task
documented in the
“Configuring a Certificate Authority Server on a Cisco IOS Certificate Server”
section on page 186
.
Note
You should disable the
grant auto
command so that certificates cannot be continually granted.
SUMMARY STEPS
1.
crypto pki server
cs-label
2.
shutdown
3.
no grant auto
4.
no shutdown