CA Identity Mode Commands
14-88 Configuring the VPN
XSR(config)#crypto ca identity ACMEca
XSR(ca-identity)#enrollment url http://ca_server
XSR(ca-identity)#enrollment retry period 5

enrollment url

ThiscommandsetstheUniformResourceLocator(URL)oftheCertificateAuthority(CA).Ifthe
CAcgibinscriptsiteisnotthedefault/cgibin/pkiclient.exeattheCA,youmustalsoincludethe
nonstandardscriptsiteintheURLashttp://CA_name/script_locationwherescript_locationisthe���
fullpathtotheCAscripts.BeawarethattheURLformatmayvary.
Syntax
enrollment url url
Syntax of the “no” Form
Thiscommand’snoformdeletestheCAʹsURLvaluefromtheconfiguration:
no enrollment url url
Mode
CertificateAuthorityIdentityconfiguration:XSR(ca-identity)#
Examples
ThefollowingexampleshowstheminimumconfigurationrequiredtodeclareaCA:
XSR(config)#crypto ca identity ACMEca
XSR(ca-identity)#enrollment url http://ca_server
TheexamplebelowshowsastaticIPhostnamefortheenrollmentURL:
XSR(config)#crypto ca identity CAserver
XSR(ca-identity)#enrollment url http://ParentCA.domain.com/ certsrv/mscep/
mscep.dll

crypto ca enroll

ThiscommandenrollsacertificatefortheXSRwiththespecifiedCertificateAuthority(CA).Itis
notsavedintheXSRconfigurationfilebutinalocalencrypteddatabasenamedcert.dat.
url TheURLoftheCAwheretheXSRsendscertificaterequests.TheURLmaybeinthe
formofhttp://CA_namewhereCA_nameistheCAʹshostIPaddressordefinedstaticIP
hostname.
Notes: You can remove existing certificates with the no certificate command.
If an enroll request to the Entrust CA fails, be sure the CA does not contain an outstanding
PENDING enroll request from that same XSR by a previously incomplete enroll request. Because
the Entrust CA allows only one outstanding request from any single client seeking certificate
enrollment, the CA administrator must delete the pending certificate for the outstanding request at
the CA then the XSR can reissue its certificate enrollment request.
For Verisign CA compliance, you must provide the domain name that you specified when signing up
with Verisign by using the ip domain command. See page5155 for command details.