If you have internal MS PKI server, you can install your own cert on Cisco routers and switches for SSH or HTTPS access. In addition to manually installation, you might need to download SCEP add-on for your certification services for auto enrollment. Here is the download link:
http://www.microsoft.com/downloads/en/details.aspx?familyid=9f306763-d036-41d8-8860-1636411b2d01&displaylang=en
Here is a sample code that you will need on your Cisco gear:
ip domain-name xxxx.com
ip domain-lookup
crypto ca trustpoint yyyy
enrollment url http://zzzz/certsrv/mscep/mscep.dll
enrollment retry count 3
enrollment retry period 5
fqdn hostname.xxxx.com
exit
crypto ca authenticate yyyy
crypto ca enroll yyyy
where:
xxxx.com is your domain name
yyyy is your trustpoint/CA Server Name
zzzz is the CA server name of the CA enrollment URL
hostname is the DNS name of your router or switch
You will need to enter a few Yes or No and a password for the last two commands. You will also need to make sure the time on the Cisco gear and PKI server are synced with NTP server. Your DNS server should have an A-record for the gear.
it is very useful. thank you.
ReplyDelete