When you need customized trustpoints, you need to create them earlier with the same name and then configure CA server.
For example, if you need an exportable keys for the CA server. Then create a trustpoint with the same name of the CA server and associate an exportable key to it. Now when you enable the CA server, it will use the trustpoint and hence the exportable keys. When the trustpoint is auto-generated, the keys are generated are non-exportable. With auto-generation, the keys and certificate are archived the first the time. So, you can use auto-generated trustpoint in the lab unless they ask for any specifics. With regards Kings On Mon, Sep 19, 2011 at 7:05 AM, Mark Senteza <[email protected]>wrote: > Hey all, > > When configuring your IOS router as a CA Server, I've read that you need to > configure that very CA server's trustpoint and authenticate & enroll with > it. > > In the past, every time I've configured a router as a CA server, the > trustpoint is always auto-configured as soon as I "no shutdown" on the CA > server i.e. I never configure the trustpoint on the CA server once I've > setup the CA Server itself. > > I then proceed to configure the other devices that need to enroll with the > CA Server, and they authenticate each other (authentication rsa-sig) > successfully using the certificates when building VPNs. The difference I've > noticed though, when I dont configure the trustpoint on the CA Server is > that with the auto-configured trustpoint on the CA Server, the "enrollment > url" statement isnt there. > > Example: > > crypto pki server R6CASERVER > database url flash: > grant auto > no shutdown > > crypto pki trustpoint R6CASERVER > enrollment url http://6.6.6.6:80 <- in > the auto-configured trustpoint (once you run "no shutdown" above) this > statement doesnt exist > revocation-check crl > > What is everybody else's experience when configuring CA Servers, and what's > the best recommendation for me to adopt going forward ? > > Mark > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
