Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
25-57
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
Enrollment URL
(URL enrollment only.)
The URL of the CA server to which devices should attempt to enroll.
The URL can be in the following formats:
SCEP—Uses an HTTP URL in the form of http://CA_name:port,
where CA_name is the host DNS name or IP address of the CA
server. The port number is mandatory.
TFTP—Uses the format tftp://certserver/file_specification. Use
this option when you do not have direct access to the CA server.
The TFTP server transfers certificate requests and certificates.
Other supported formats include: bootflash, cns, flash, ftp, null,
nvram, rcp, scp, system.
Note If the CA cgi-bin script location at the CA is not the default
(/cgi-bin/pkiclient.exe), you must also include the nonstandard
script location in the URL, in the form of
http://CA_name:port/script_location, where script_location
is the full path to the CA scripts.
CA Certificate Source
Fingerprint
Certificate
(URL enrollment only.)
How to obtain the certificate:
Retrieve CA Certificate Using SCEP (the default)—Have the
router retrieve the certificate from the CA server using the Simple
Certificate Enrollment Process (SCEP). Enter the fingerprint for
the CA server in hexadecimal format. If the value you enter does
not match the fingerprint on the certificate, the certificate is
rejected.
Using the fingerprint to verify the authenticity of the CA’s
certificate helps prevent an unauthorized party from substituting a
fake certificate in place of the real one.
Tip You can obtain the CA’s fingerprint by contacting the server
directly, or by entering the following address in a web browser:
http://URLHostName/certsrv/mscep/mscep.dll. Using the
fingerprint is supported only on Cisco IOS software releases
12.3(12) or higher, 12.3(14)T or higher, 12.4 or higher
(including 15.x), 12.2(33)XNA or higher.
Enter CA Certificate from CA Server Manually—Copy and
Paste up to three certificates from another device into the
Certificate field (using your browser’s Paste function or the Ctrl-V
keyboard shortcut). Each certificate must begin with the word
“certificate” and end with the word “quit”. Use this option when
you want the PKI enrollment object to represent predefined
certificates.
Table 25-11 PKI Enrollment Dialog Box—CA Information Tab (Continued)
Element Description