Cisco ASR 1004 - Page 40

72 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Page 40 of 72

 Use the stop keyword to specify that the certificate is already trusted. This is the

default setting.

 Use the continue keyword to specify that the that the subordinate CA certificate

associated with the trustpoint must be validated.

 The parent-trustpoint argument specifies the name of the parent trustpoint the

certificate must be validated against.

Note: A trustpoint associated with the root CA cannot be configured to be validated to

the next level. The chain-validation command is configured with the continue keyword

for the trust point associated with the root CA, an error message will be displayed and

the chain validation will revert to the default chain-validation command setting.

4. Exit:

TOE-common-criteria(ca-trustpoint)# exit

4.6.4.8 Certificate Validation

By default the TOE will validate the certificate of the IPsec peer including a Basic Constraints

extension. No configuration is required by the administrator. Optionally as a way to test a Basic

Constraints extension, the administrator can add subject name restrictions to the CA root

trustpoint. Refer to How to Configure Certificate Enrollment for a PKI” in [22]. A portion of an

example TOE configuration follows below.

TOE-common-criteria (config)# crypto pki certificate map <certificate map name> 1

subject-name co example

TOE-common-criteria (config)# crypto pki trustpoint CAroot

TOE-common-criteria (ca-trustpoint)# enrollment terminal

TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name>

TOE-common-criteria (ca-trustpoint)#end

TOE-common-criteria (config)# crypto pki trustpoint CA sub

TOE-common-criteria (ca-trustpoint)# enrollment terminal

TOE-common-criteria (ca-trustpoint)# subject-name CN=example.organization.com,OU=Spiral

Dept,O=Example

TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name>

TOE-common-criteria (ca-trustpoint)#end

The administrator should find an error message stating that certificate chain validation has failed

because a certificate in the chain was not a valid CA certificate.

4.6.4.9 Setting X.509 for use with IKE

Once X.509v3 keys are installed on the TOE, they can be set for use with IKEv1 with the

commands:

TOE-common-criteria (config)#crypto isakmp policy 1

TOE-common-criteria (config-isakmp)# authentication rsa-sig

Table of Contents

Other manuals for Cisco ASR 1004

Hardware Installation Guide702 pages

Replacing120 pages

Quick Start Guide38 pages

Install Guide32 pages

Overview And Installation38 pages

Related product manuals

Preview: Cisco ASR 1002

Preview: Cisco ASR 1006

Preview: Cisco ASR 1000

Preview: Cisco ASR 1001-X

Cisco ASR 1001-X

Preview: Cisco ASR 1002-X

Cisco ASR 1002-X

Preview: Cisco ASR 1001-HX

Cisco ASR 1001-HX

Preview: Cisco ASR 1002-HX

Cisco ASR 1002-HX

Preview: Cisco ASR 1000 Series

Cisco ASR 1000 Series

Preview: Cisco ASR1002 - ASR 1002 Router

Cisco ASR1002 - ASR 1002 Router

Preview: ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router

ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router