beautypg.com

Enrollment url, Crypto ca enroll – Enterasys Networks X-Pedition XSR CLI User Manual

Page 542

background image

CA Identity Mode Commands

14-88 Configuring the VPN

XSR(config)#crypto ca identity ACMEca
XSR(ca-identity)#enrollment url http://ca_server
XSR(ca-identity)#enrollment retry period 5

enrollment url

This command sets the Uniform Resource Locator (URL) of the Certificate Authority (CA). If the 
CA cgi‐bin script site is not the default /cgi‐bin/ pkiclient.exe at the CA, you must also include the 
non‐standard script site in the URL as http://CA_name/ script_location where script_location is the 
full path to the CA scripts. Be aware that the URL format may vary.

Syntax

enrollment url url

Syntax of the “no” Form

This command’s no form deletes the CAʹs URL value from the configuration:

no enrollment url url

Mode

Certificate Authority Identity configuration: 

XSR(ca-identity)#

Examples

The following example shows the minimum configuration required to declare a CA:

XSR(config)#crypto ca identity ACMEca
XSR(ca-identity)#enrollment url http://ca_server

The example below shows a static IP hostname for the enrollment URL:

XSR(config)#crypto ca identity CAserver
XSR(ca-identity)#enrollment url http://ParentCA.domain.com/ certsrv/mscep/
mscep.dll

crypto ca enroll

This command enrolls a certificate for the XSR with the specified Certificate Authority (CA). It is 
not saved in the XSR configuration file but in a local encrypted database named 

cert.dat

.

url

The URL of the CA where the XSR  sends certificate requests. The URL may be in the 
form of http://CA_name where CA_name is the CAʹs host IP address or defined static IP 
hostname.

Notes: You can remove existing certificates with the no certificate command.
If an enroll request to the Entrust CA fails, be sure the CA does not contain an outstanding
PENDING enroll request from that same XSR by a previously incomplete enroll request. Because
the Entrust CA allows only one outstanding request from any single client seeking certificate
enrollment, the CA administrator must delete the pending certificate for the outstanding request at
the CA then the XSR can reissue its certificate enrollment request.

For Verisign CA compliance, you must provide the domain name that you specified when signing up
with Verisign by using the ip domain command. See

page 5‐155

for command details.