Configuring CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
You must authenticate the CA before configuring certificate revocation checking.
Note
To configure certificate revocation checking methods, follow these steps:
Command
Step 1
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)#
Step 2
switch(config-trustpoint)# ocsp url
http://crlcheck.cisco.com
switch(config-trustpoint)# no ocsp url
http://crlcheck.cisco.com
Step 3
switch(config-trustpoint)# revocation-check
oscp
switch(config-trustpoint)# revocation-check crl
switch(config-trustpoint)# revocation-check crl
oscp
switch(config-trustpoint)# revocation-check
none
switch(config-trustpoint)# no revocation-check
Generating Certificate Requests
You must generate a request to obtain identity certificates from the associated trust point CA for each of
your switch's RSA key-pairs. You must then cut and paste the displayed request into an e-mail message
or in a website form for the CA.
Cisco MDS 9000 Family CLI Configuration Guide
36-10
Chapter 36
Configuring Certificate Authorities and Digital Certificates
Purpose
Declares a trust point CA that the switch
should trust and enters trust point
configuration submode.
Specifies the for OCSP to use to check for
revoked certificates.
Removes the URL for OCSP.
Specifies OCSP as the revocation checking
method to be employed during verification of
peer certificates issued by the same CA as
that of this trust point.
The OSCP URL must be configured
Note
before specifying OSCP as a
revocation checking method.
Specifies CRL (default) as the revocation
checking method to be employed during
verification of peer certificates issued by the
same CA as that of this trust point.
Specifies CRL as the first revocation
checking method and OCSP as the next
method. If the CRL method fails (for
example, due to the CRL is not found or has
expired) to be used during verification of peer
certificates issued by the same CA as that of
this trust point, then OSCP is used.
The OSCP URL must be configured
Note
before specifying OSCP as a
revocation checking method.
Does not check for revoked certificates.
Reverts to default method.
OL-18084-01, Cisco MDS NX-OS Release 4.x